Prevent duplicate configuration file includes

[amulet1]

Also: simplify the code.

This is a proper fix for #20.

Note, with this PR merged we no longer need guards like horde/kronolith#17 or horde/imp@b05084b.

[amulet1]

@TDannhauer Please merge.

[amulet1]

@TDannhauer Not sure if you missed this PR.

[amulet1]

Just in case, here's a (AI generated) summary of the key changes between these two versions:

Security and Reliability Improvements

1. Path Traversal Protection

The new version adds realpath() normalization and duplicate checking to prevent malicious configuration files from being loaded multiple times or via path traversal attacks. The $checked array tracks already-processed files using their canonical paths.

2. File Existence Validation

The original version only checked is_file() for the vendor directory path, but unconditionally added other paths to $flist. The new version removes the separate is_file() check for the vendor path and consistently validates all files in the main loop, creating more uniform handling.

3. Safer Array Access

Changed !empty($conf['vhosts']) to ($conf['vhosts'] ?? false) using the null coalescing operator, which is more defensive against undefined array keys.

Code Structure Refactoring

4. Loop Simplification

Replaced the complex for loop with counter tracking ($k and $end) with a cleaner while (($v = array_shift($flist))) approach. This makes the vhost configuration logic easier to follow.

5. Vhost Logic Improvement

The vhost file loading now uses a boolean flag ($vhosts) instead of counting iterations, making the intent clearer and the logic more maintainable.

6. Code Formatting

Added consistent blank lines between property declarations and improved readability throughout the constructor.

---

The most critical change is the security enhancement that prevents potential exploits through path manipulation and duplicate file inclusion.