Skip to content

Commit a40b766

Browse files
committed
show http 403 forbidden error if the type parameter is not js or css
1 parent 8c0a3eb commit a40b766

File tree

2 files changed

+142
-154
lines changed

2 files changed

+142
-154
lines changed

Diff for: oc-content/themes/modern/combine.php

+71-77
Original file line numberDiff line numberDiff line change
@@ -24,120 +24,114 @@
2424
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
2525
*/
2626

27-
28-
$cache = true;
27+
$cache = true;
2928
$cachedir = '../../uploads';
30-
$base = dirname(__FILE__);
29+
$base = dirname(__FILE__);
3130

32-
$type = $_GET['type'];
31+
$type = $_GET['type'];
3332
$elements = explode(',', $_GET['files']);
34-
33+
3534
// Determine last modification date of the files
3635
$lastmodified = 0;
37-
while (list(,$element) = each($elements)) {
38-
$path = realpath($base . '/' . $element);
39-
40-
if (($type == 'js' && substr($path, -3) != '.js') ||
41-
($type == 'css' && substr($path, -4) != '.css')) {
42-
header ("HTTP/1.0 403 Forbidden");
43-
exit;
36+
while( list(,$element) = each($elements) ) {
37+
$path = realpath($base . '/' . $element) ;
38+
39+
if( ($type != 'js' && $type != 'css') ||
40+
($type == 'js' && substr($path, -3) != '.js') ||
41+
($type == 'css' && substr($path, -4) != '.css') ) {
42+
header ("HTTP/1.0 403 Forbidden") ;
43+
exit ;
4444
}
45-
45+
4646
if (substr($path, 0, strlen($base)) != $base || !file_exists($path)) {
4747
header ("HTTP/1.0 404 Not Found");
4848
exit;
4949
}
50-
50+
5151
$lastmodified = max($lastmodified, filemtime($path));
5252
}
5353

5454
// Send Etag hash
5555
$hash = $lastmodified . '-' . md5($_GET['files']);
5656
header ("Etag: \"" . $hash . "\"");
57-
58-
if (isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
59-
stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) == '"' . $hash . '"')
60-
{
57+
58+
if( isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
59+
stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) == '"' . $hash . '"' ) {
6160
// Return visit and no modifications, so do not send anything
62-
header ("HTTP/1.0 304 Not Modified");
63-
header ('Content-Length: 0');
64-
}
65-
else
66-
{
61+
header ("HTTP/1.0 304 Not Modified") ;
62+
header ('Content-Length: 0') ;
63+
} else {
6764
// First time visit or files were modified
68-
if ($cache)
69-
{
65+
if( $cache ) {
7066
// Determine supported compression method
71-
$gzip = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip');
72-
$deflate = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate');
73-
67+
$gzip = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') ;
68+
$deflate = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate') ;
69+
7470
// Determine used compression method
75-
$encoding = $gzip ? 'gzip' : ($deflate ? 'deflate' : 'none');
76-
71+
$encoding = $gzip ? 'gzip' : ($deflate ? 'deflate' : 'none') ;
72+
7773
// Check for buggy versions of Internet Explorer
78-
if (!strstr($_SERVER['HTTP_USER_AGENT'], 'Opera') &&
79-
preg_match('/^Mozilla\/4\.0 \(compatible; MSIE ([0-9]\.[0-9])/i', $_SERVER['HTTP_USER_AGENT'], $matches)) {
80-
$version = floatval($matches[1]);
81-
82-
if ($version < 6)
74+
if( !strstr($_SERVER['HTTP_USER_AGENT'], 'Opera') &&
75+
preg_match('/^Mozilla\/4\.0 \(compatible; MSIE ([0-9]\.[0-9])/i', $_SERVER['HTTP_USER_AGENT'], $matches) ) {
76+
$version = floatval($matches[1]) ;
77+
78+
if( $version < 6 ) {
8379
$encoding = 'none';
84-
85-
if ($version == 6 && !strstr($_SERVER['HTTP_USER_AGENT'], 'EV1'))
80+
}
81+
if( $version == 6 && !strstr($_SERVER['HTTP_USER_AGENT'], 'EV1') ) {
8682
$encoding = 'none';
83+
}
8784
}
88-
85+
8986
// Try the cache first to see if the combined files were already generated
90-
$cachefile = 'cache-' . $hash . '.' . $type . ($encoding != 'none' ? '.' . $encoding : '');
91-
92-
if (file_exists($cachedir . '/' . $cachefile)) {
93-
if ($fp = fopen($cachedir . '/' . $cachefile, 'rb')) {
87+
$cachefile = 'cache-' . $hash . '.' . $type . ($encoding != 'none' ? '.' . $encoding : '') ;
9488

95-
if ($encoding != 'none') {
96-
header ("Content-Encoding: " . $encoding);
89+
if( file_exists($cachedir . '/' . $cachefile) ) {
90+
if( $fp = fopen($cachedir . '/' . $cachefile, 'rb') ) {
91+
if( $encoding != 'none' ) {
92+
header ("Content-Encoding: " . $encoding) ;
9793
}
98-
99-
header ("Content-Type: text/" . $type);
100-
header ("Content-Length: " . filesize($cachedir . '/' . $cachefile));
101-
102-
fpassthru($fp);
103-
fclose($fp);
104-
exit;
94+
95+
header( "Content-Type: text/" . $type) ;
96+
header( "Content-Length: " . filesize($cachedir . '/' . $cachefile) ) ;
97+
98+
fpassthru($fp) ;
99+
fclose($fp) ;
100+
exit ;
105101
}
106102
}
107103
}
108-
104+
109105
// Get contents of the files
110-
$contents = '';
111-
reset($elements);
112-
while (list(,$element) = each($elements)) {
113-
$path = realpath($base . '/' . $element);
114-
$contents .= "\n\n" . file_get_contents($path);
106+
$contents = '' ;
107+
reset($elements) ;
108+
while( list(,$element) = each($elements) ) {
109+
$path = realpath($base . '/' . $element) ;
110+
$contents .= "\n\n" . file_get_contents($path) ;
115111
}
116-
112+
117113
// Send Content-Type
118-
header ("Content-Type: text/" . $type);
119-
120-
if (isset($encoding) && $encoding != 'none')
121-
{
114+
header ("Content-Type: text/" . $type) ;
115+
116+
if (isset($encoding) && $encoding != 'none') {
122117
// Send compressed contents
123-
$contents = gzencode($contents, 9, $gzip ? FORCE_GZIP : FORCE_DEFLATE);
124-
header ("Content-Encoding: " . $encoding);
125-
header ('Content-Length: ' . strlen($contents));
126-
echo $contents;
127-
}
128-
else
129-
{
118+
$contents = gzencode($contents, 9, $gzip ? FORCE_GZIP : FORCE_DEFLATE) ;
119+
header( "Content-Encoding: " . $encoding ) ;
120+
header( 'Content-Length: ' . strlen($contents) ) ;
121+
echo $contents ;
122+
} else {
130123
// Send regular contents
131-
header ('Content-Length: ' . strlen($contents));
132-
echo $contents;
124+
header( 'Content-Length: ' . strlen($contents) ) ;
125+
echo $contents ;
133126
}
134127

135128
// Store cache
136-
if ($cache) {
137-
if ($fp = fopen($cachedir . '/' . $cachefile, 'wb')) {
138-
fwrite($fp, $contents);
139-
fclose($fp);
129+
if( $cache ) {
130+
if( $fp = fopen($cachedir . '/' . $cachefile, 'wb') ) {
131+
fwrite($fp, $contents) ;
132+
fclose($fp) ;
140133
}
141134
}
142-
}
143-
135+
}
136+
137+
?>

Diff for: oc-includes/osclass/gui/combine.php

+71-77
Original file line numberDiff line numberDiff line change
@@ -24,120 +24,114 @@
2424
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
2525
*/
2626

27-
28-
$cache = true;
27+
$cache = true;
2928
$cachedir = '../../uploads';
30-
$base = dirname(__FILE__);
29+
$base = dirname(__FILE__);
3130

32-
$type = $_GET['type'];
31+
$type = $_GET['type'];
3332
$elements = explode(',', $_GET['files']);
34-
33+
3534
// Determine last modification date of the files
3635
$lastmodified = 0;
37-
while (list(,$element) = each($elements)) {
38-
$path = realpath($base . '/' . $element);
39-
40-
if (($type == 'js' && substr($path, -3) != '.js') ||
41-
($type == 'css' && substr($path, -4) != '.css')) {
42-
header ("HTTP/1.0 403 Forbidden");
43-
exit;
36+
while( list(,$element) = each($elements) ) {
37+
$path = realpath($base . '/' . $element) ;
38+
39+
if( ($type != 'js' && $type != 'css') ||
40+
($type == 'js' && substr($path, -3) != '.js') ||
41+
($type == 'css' && substr($path, -4) != '.css') ) {
42+
header ("HTTP/1.0 403 Forbidden") ;
43+
exit ;
4444
}
45-
45+
4646
if (substr($path, 0, strlen($base)) != $base || !file_exists($path)) {
4747
header ("HTTP/1.0 404 Not Found");
4848
exit;
4949
}
50-
50+
5151
$lastmodified = max($lastmodified, filemtime($path));
5252
}
5353

5454
// Send Etag hash
5555
$hash = $lastmodified . '-' . md5($_GET['files']);
5656
header ("Etag: \"" . $hash . "\"");
57-
58-
if (isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
59-
stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) == '"' . $hash . '"')
60-
{
57+
58+
if( isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
59+
stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) == '"' . $hash . '"' ) {
6160
// Return visit and no modifications, so do not send anything
62-
header ("HTTP/1.0 304 Not Modified");
63-
header ('Content-Length: 0');
64-
}
65-
else
66-
{
61+
header ("HTTP/1.0 304 Not Modified") ;
62+
header ('Content-Length: 0') ;
63+
} else {
6764
// First time visit or files were modified
68-
if ($cache)
69-
{
65+
if( $cache ) {
7066
// Determine supported compression method
71-
$gzip = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip');
72-
$deflate = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate');
73-
67+
$gzip = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') ;
68+
$deflate = strstr($_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate') ;
69+
7470
// Determine used compression method
75-
$encoding = $gzip ? 'gzip' : ($deflate ? 'deflate' : 'none');
76-
71+
$encoding = $gzip ? 'gzip' : ($deflate ? 'deflate' : 'none') ;
72+
7773
// Check for buggy versions of Internet Explorer
78-
if (!strstr($_SERVER['HTTP_USER_AGENT'], 'Opera') &&
79-
preg_match('/^Mozilla\/4\.0 \(compatible; MSIE ([0-9]\.[0-9])/i', $_SERVER['HTTP_USER_AGENT'], $matches)) {
80-
$version = floatval($matches[1]);
81-
82-
if ($version < 6)
74+
if( !strstr($_SERVER['HTTP_USER_AGENT'], 'Opera') &&
75+
preg_match('/^Mozilla\/4\.0 \(compatible; MSIE ([0-9]\.[0-9])/i', $_SERVER['HTTP_USER_AGENT'], $matches) ) {
76+
$version = floatval($matches[1]) ;
77+
78+
if( $version < 6 ) {
8379
$encoding = 'none';
84-
85-
if ($version == 6 && !strstr($_SERVER['HTTP_USER_AGENT'], 'EV1'))
80+
}
81+
if( $version == 6 && !strstr($_SERVER['HTTP_USER_AGENT'], 'EV1') ) {
8682
$encoding = 'none';
83+
}
8784
}
88-
85+
8986
// Try the cache first to see if the combined files were already generated
90-
$cachefile = 'cache-' . $hash . '.' . $type . ($encoding != 'none' ? '.' . $encoding : '');
91-
92-
if (file_exists($cachedir . '/' . $cachefile)) {
93-
if ($fp = fopen($cachedir . '/' . $cachefile, 'rb')) {
87+
$cachefile = 'cache-' . $hash . '.' . $type . ($encoding != 'none' ? '.' . $encoding : '') ;
9488

95-
if ($encoding != 'none') {
96-
header ("Content-Encoding: " . $encoding);
89+
if( file_exists($cachedir . '/' . $cachefile) ) {
90+
if( $fp = fopen($cachedir . '/' . $cachefile, 'rb') ) {
91+
if( $encoding != 'none' ) {
92+
header ("Content-Encoding: " . $encoding) ;
9793
}
98-
99-
header ("Content-Type: text/" . $type);
100-
header ("Content-Length: " . filesize($cachedir . '/' . $cachefile));
101-
102-
fpassthru($fp);
103-
fclose($fp);
104-
exit;
94+
95+
header( "Content-Type: text/" . $type) ;
96+
header( "Content-Length: " . filesize($cachedir . '/' . $cachefile) ) ;
97+
98+
fpassthru($fp) ;
99+
fclose($fp) ;
100+
exit ;
105101
}
106102
}
107103
}
108-
104+
109105
// Get contents of the files
110-
$contents = '';
111-
reset($elements);
112-
while (list(,$element) = each($elements)) {
113-
$path = realpath($base . '/' . $element);
114-
$contents .= "\n\n" . file_get_contents($path);
106+
$contents = '' ;
107+
reset($elements) ;
108+
while( list(,$element) = each($elements) ) {
109+
$path = realpath($base . '/' . $element) ;
110+
$contents .= "\n\n" . file_get_contents($path) ;
115111
}
116-
112+
117113
// Send Content-Type
118-
header ("Content-Type: text/" . $type);
119-
120-
if (isset($encoding) && $encoding != 'none')
121-
{
114+
header ("Content-Type: text/" . $type) ;
115+
116+
if (isset($encoding) && $encoding != 'none') {
122117
// Send compressed contents
123-
$contents = gzencode($contents, 9, $gzip ? FORCE_GZIP : FORCE_DEFLATE);
124-
header ("Content-Encoding: " . $encoding);
125-
header ('Content-Length: ' . strlen($contents));
126-
echo $contents;
127-
}
128-
else
129-
{
118+
$contents = gzencode($contents, 9, $gzip ? FORCE_GZIP : FORCE_DEFLATE) ;
119+
header( "Content-Encoding: " . $encoding ) ;
120+
header( 'Content-Length: ' . strlen($contents) ) ;
121+
echo $contents ;
122+
} else {
130123
// Send regular contents
131-
header ('Content-Length: ' . strlen($contents));
132-
echo $contents;
124+
header( 'Content-Length: ' . strlen($contents) ) ;
125+
echo $contents ;
133126
}
134127

135128
// Store cache
136-
if ($cache) {
137-
if ($fp = fopen($cachedir . '/' . $cachefile, 'wb')) {
138-
fwrite($fp, $contents);
139-
fclose($fp);
129+
if( $cache ) {
130+
if( $fp = fopen($cachedir . '/' . $cachefile, 'wb') ) {
131+
fwrite($fp, $contents) ;
132+
fclose($fp) ;
140133
}
141134
}
142-
}
143-
135+
}
136+
137+
?>

0 commit comments

Comments
 (0)