Domů Procházet Nápověda
Přihlásit se
LBP
/
FressRSS
zrcadlo https://github.com/FreshRSS/FreshRSS.git
4
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Strom: 1.26.0
Větve Značky
FressRSS
/
p
/
ext.php

ext.php 3.4 KB
Trvalý odkaz Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. <?php
    2. 

  2. declare(strict_types=1);
    3. 

  3. require(__DIR__ . '/../constants.php');
    4. 

  4. 

  5. // Supported types with their associated content type
    6. 

  6. const SUPPORTED_TYPES = [
    7. 

  7. 	'css' => 'text/css; charset=UTF-8',
    8. 

  8. 	'js' => 'application/javascript; charset=UTF-8',
    9. 

  9. 	'png' => 'image/png',
    10. 

  10. 	'jpeg' => 'image/jpeg',
    11. 

  11. 	'jpg' => 'image/jpeg',
    12. 

  12. 	'gif' => 'image/gif',
    13. 

  13. 	'svg' => 'image/svg+xml',
    14. 

  14. ];
    15. 

  15. 

  16. function get_absolute_filename(string $file_name): string {
    17. 

  17. 	$core_extension = realpath(CORE_EXTENSIONS_PATH . '/' . $file_name);
    18. 

  18. 	if (false !== $core_extension) {
    19. 

  19. 		return $core_extension;
    20. 

  20. 	}
    21. 

  21. 

  22. 	$extension = realpath(EXTENSIONS_PATH . '/' . $file_name);
    23. 

  23. 	if (false !== $extension) {
    24. 

  24. 		return $extension;
    25. 

  25. 	}
    26. 

  26. 

  27. 	$third_party_extension = realpath(THIRDPARTY_EXTENSIONS_PATH . '/' . $file_name);
    28. 

  28. 	if (false !== $third_party_extension) {
    29. 

  29. 		return $third_party_extension;
    30. 

  30. 	}
    31. 

  31. 

  32. 	$user = realpath(USERS_PATH . '/' . $file_name);
    33. 

  33. 	if (false !== $user) {
    34. 

  34. 		return $user;
    35. 

  35. 	}
    36. 

  36. 

  37. 	return '';
    38. 

  38. }
    39. 

  39. 

  40. function is_valid_path_extension(string $path, string $extensionPath, bool $isStatic = true): bool {
    41. 

  41. 	// It must be under the extension path.
    42. 

  42. 	$real_ext_path = realpath($extensionPath);
    43. 

  43. 	if ($real_ext_path == false) {
    44. 

  44. 		return false;
    45. 

  45. 	}
    46. 

  46. 

  47. 	//Windows compatibility
    48. 

  48. 	$real_ext_path = str_replace('\\', '/', $real_ext_path);
    49. 

  49. 	$path = str_replace('\\', '/', $path);
    50. 

  50. 

  51. 	$in_ext_path = (str_starts_with($path, $real_ext_path));
    52. 

  52. 	if (!$in_ext_path) {
    53. 

  53. 		return false;
    54. 

  54. 	}
    55. 

  55. 

  56. 	// User files do not need further validations
    57. 

  57. 	if (!$isStatic) {
    58. 

  58. 		return true;
    59. 

  59. 	}
    60. 

  60. 

  61. 	// Static files to serve must be under a `ext_dir/static/` directory.
    62. 

  62. 	$path_relative_to_ext = substr($path, strlen($real_ext_path) + 1);
    63. 

  63. 	[, $static, $file] = sscanf($path_relative_to_ext, '%[^/]/%[^/]/%s') ?? [null, null, null];
    64. 

  64. 	if (null === $file || 'static' !== $static) {
    65. 

  65. 		return false;
    66. 

  66. 	}
    67. 

  67. 

  68. 	return true;
    69. 

  69. }
    70. 

  70. 

  71. /**
    72. 

  72.  * Check if a file can be served by ext.php. A valid file is under a
    73. 

  73.  * CORE_EXTENSIONS_PATH/extension_name/static/ or THIRDPARTY_EXTENSIONS_PATH/extension_name/static/ directory.
    74. 

  74.  *
    75. 

  75.  * You should sanitize path by using the realpath() function.
    76. 

  76.  *
    77. 

  77.  * @param string $path the path to the file we want to serve.
    78. 

  78.  * @return bool true if it can be served, false otherwise.
    79. 

  79.  *
    80. 

  80.  */
    81. 

  81. function is_valid_path(string $path): bool {
    82. 

  82. 	return is_valid_path_extension($path, CORE_EXTENSIONS_PATH) || is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH)
    83. 

  83. 		|| is_valid_path_extension($path, USERS_PATH, false);
    84. 

  84. }
    85. 

  85. 

  86. function sendBadRequestResponse(string $message = null): never {
    87. 

  87. 	header('HTTP/1.1 400 Bad Request');
    88. 

  88. 	die($message);
    89. 

  89. }
    90. 

  90. 

  91. function sendNotFoundResponse(): never {
    92. 

  92. 	header('HTTP/1.1 404 Not Found');
    93. 

  93. 	die();
    94. 

  94. }
    95. 

  95. 

  96. if (!isset($_GET['f'], $_GET['t']) || !is_string($_GET['f']) || !is_string($_GET['t'])) {
    97. 

  97. 	sendBadRequestResponse('Query string is incomplete.');
    98. 

  98. }
    99. 

  99. 

  100. $file_name = urldecode($_GET['f']);
    101. 

  101. $file_type = $_GET['t'];
    102. 

  102. if (empty(SUPPORTED_TYPES[$file_type]) ||
    103. 

  103. 	empty(SUPPORTED_TYPES[pathinfo($file_name, PATHINFO_EXTENSION)])) {
    104. 

  104. 	sendBadRequestResponse('File type is not supported.');
    105. 

  105. }
    106. 

  106. 

  107. $absolute_filename = get_absolute_filename($file_name);
    108. 

  108. if (!is_valid_path($absolute_filename)) {
    109. 

  109. 	sendBadRequestResponse('File is not supported.');
    110. 

  110. }
    111. 

  111. 

  112. $content_type = SUPPORTED_TYPES[$file_type];
    113. 

  113. header("Content-Type: {$content_type}");
    114. 

  114. header("Content-Disposition: inline; filename='{$file_name}'");
    115. 

  115. 

  116. $mtime = @filemtime($absolute_filename);
    117. 

  117. if ($mtime === false) {
    118. 

  118. 	sendNotFoundResponse();
    119. 

  119. }
    120. 

  120. 

  121. require(LIB_PATH . '/http-conditional.php');
    122. 

  122. 

  123. if (!httpConditional($mtime, 604800, 2)) {
    124. 

  124. 	readfile($absolute_filename);
    125. 

  125. }
    126.