forked from Dmi3yy/modx.evo.custom
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index-ajax.php
52 lines (45 loc) · 1.73 KB
/
index-ajax.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php
// Add items to this array corresponding to which directories within assets/snippets/ can be used by this file.
// Do not add entries unneccesarily.
// Any PHP files in these directories can be executed by any user.
$allowed_dirs = array('assets/snippets/ajaxSearch/');
include_once(dirname(__FILE__)."/assets/cache/siteManager.php");
// harden it
require_once('./'.MGR_DIR.'/includes/protect.inc.php');
// initialize the variables prior to grabbing the config file
$database_type = "";
$database_server = "";
$database_user = "";
$database_password = "";
$dbase = "";
$table_prefix = "";
$base_url = "";
$base_path = "";
// get the required includes
if($database_user=='') {
if (!$rt = @include_once MGR_DIR."/includes/config.inc.php") {
exit('Could not load MODx configuration file!');
}
}
if($axhandler = (strtoupper($_SERVER['REQUEST_METHOD'])=='GET') ? $_GET['q'] : $_POST['q']) {
$axhandler = preg_replace('/[^A-Za-z0-9_\-\.\/]/', '', $axhandler);
// Get realpath
$axhandler = realpath(MODX_BASE_PATH.$axhandler) or die(); // full
$axhandler = str_replace('\\','/',$axhandler);
$axhandler_rel = substr($axhandler, strlen(MODX_BASE_PATH)); // relative
//$axhandler = realpath($directory.str_replace($directory, '', $axhandler));
if ($axhandler_rel && strtolower(substr($axhandler_rel, -4)) == '.php') {
// permission check
$allowed = false;
foreach($allowed_dirs as $allowed_dir) {
if (substr($axhandler_rel, 0, strlen($allowed_dir)) == $allowed_dir) {
$allowed = true;
break;
}
}
if ($allowed) {
include_once($axhandler);
}
}
}
?>