-
-
Notifications
You must be signed in to change notification settings - Fork 777
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update ext.php to serve any file from extensions
Add an extension->getFileUrl() method to facilitate url generation
- Loading branch information
1 parent
0316bad
commit f9b0377
Showing
2 changed files
with
42 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,38 +1,39 @@ | ||
<?php | ||
if (!isset($_GET['e'])) { | ||
header('HTTP/1.1 400 Bad Request'); | ||
die(); | ||
} | ||
$extension = substr($_GET['e'], 0, 64); | ||
if (!ctype_alpha($extension)) { | ||
if (!isset($_GET['f']) || | ||
!isset($_GET['t'])) { | ||
header('HTTP/1.1 400 Bad Request'); | ||
die(); | ||
} | ||
|
||
require('../constants.php'); | ||
$filename = FRESHRSS_PATH . '/extensions/' . $extension . '/'; | ||
|
||
if (isset($_GET['j'])) { | ||
header('Content-Type: application/javascript; charset=UTF-8'); | ||
header('Content-Disposition: inline; filename="script.js"'); | ||
$filename .= 'script.js'; | ||
} elseif (isset($_GET['c'])) { | ||
$file_name = urldecode($_GET['f']); | ||
$file_type = $_GET['t']; | ||
|
||
$absolute_filename = EXTENSIONS_PATH . '/' . $file_name; | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. |
||
|
||
switch ($file_type) { | ||
case 'css': | ||
header('Content-Type: text/css; charset=UTF-8'); | ||
header('Content-Disposition: inline; filename="style.css"'); | ||
$filename .= 'style.css'; | ||
} else { | ||
header('Content-Disposition: inline; filename="' . $file_name . '"'); | ||
break; | ||
case 'js': | ||
header('Content-Type: application/javascript; charset=UTF-8'); | ||
header('Content-Disposition: inline; filename="' . $file_name . '"'); | ||
break; | ||
default: | ||
header('HTTP/1.1 400 Bad Request'); | ||
die(); | ||
} | ||
|
||
$mtime = @filemtime($filename); | ||
if ($mtime == false) { | ||
$mtime = @filemtime($absolute_filename); | ||
if ($mtime === false) { | ||
header('HTTP/1.1 404 Not Found'); | ||
die(); | ||
} | ||
|
||
require(LIB_PATH . '/http-conditional.php'); | ||
|
||
if (!httpConditional($mtime, 604800, 2)) { | ||
readfile($filename); | ||
readfile($absolute_filename); | ||
} |
1 comment
on commit f9b0377
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Big security hole here. This gives remote access to any file PHP can read.
$file_name
should not be passed in parameter, or if it is really necessary, it should be sanitised very strictly.