The path used for writing to TelegramException.log is a security risk

[dstotijn]

The TelegramException class writes a log file TelegramException.log in the current path of the executing PHP script, because file_put_contents is called with just a filename. This can be a security risk when a public facing web server is in place, where the log file could be in the document root and can be accessed.

[noplanman]

You're absolutely right, thanks for pointing this out!

An easy fix would be to restrict access to the file using .htaccess or within the nginx configuration.

Other option would be to offer the option to choose the destination of the TelegramException.log file. This would require the user to set the destination and actually make sure that it can't be accessed.

#88 Might need to be implemented after all.

Also, we'll need to add a simple .htaccess / nginx config snippet to the readme, so that users can protect themselves.

[ivanbaldo]

Maybe this could be closed now?
Commit b1184d8 deals with this.

[MBoretto]

yes thanks!