Flip the security level in the header to compare the vulnerable and fixed code paths.
<?php // LOW: the file path is used as-is -> path traversal / LFI-read (open_basedir confines it to the // webroot, so system files are blocked, but any app source can be read -> source disclosure). $f = isset($_GET['file']) ? $_GET['file'] : 'assets/shipping.txt'; $content = @file_get_contents($f);