From d5d13fa831d044f1f7c172a2a6d571ce22faf188 Mon Sep 17 00:00:00 2001
From: Lucas Savva <lucas@m1cr0man.com>
Date: Tue, 24 Dec 2019 18:50:49 +0000
Subject: [PATCH] Add logic to rename insecure CONFIG_PATH

---
 lib/Configuration.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/Configuration.php b/lib/Configuration.php
index f9e2111..533cb17 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -104,11 +104,21 @@ class Configuration
         $config     = array();
         $basePath   = PATH . 'cfg' . DIRECTORY_SEPARATOR;
         $configIni  = $basePath . 'conf.ini';
+        $configFile = $basePath . 'conf.php';
 
         if (getenv('CONFIG_PATH') !== false) {
             $configFile = getenv('CONFIG_PATH');
-        } else {
-            $configFile = $basePath . 'conf.php';
+
+            // Rename INI files to avoid configuration leakage
+            if (
+                strtolower(substr($configFile, -3, 3)) == 'ini' &&
+                is_readable($configFile) &&
+                is_writable(dirname($configFile))
+            ) {
+                $oldConfigFile = $configFile;
+                $configFile    = substr($configFile, 0, -3) . 'php';
+                DataStore::prependRename($oldConfigFile, $configFile, ';');
+            }
         }
 
         // rename INI files to avoid configuration leakage