Protect 'hash' get parameter

2023-08-25 09:33:08 +02:00 · 2022-04-02 01:32:16 +02:00 · 2022-04-02 01:32:16 +02:00 · 4a261db73e
commit 4a261db73e
parent 0e891e1307
1 changed files with 12 additions and 6 deletions
--- a/app.php
+++ b/app.php
@ -34,11 +34,15 @@ $f3->route('GET /signature',
 );
 $f3->route('GET /signature/@hash',
-    function($f3, $param) {
+    function($f3) {
-        $f3->set('hash', $param['hash']);
+        $f3->set('hash', Web::instance()->slug($f3->get('PARAMS.hash')));
        $f3->set('maxSize',  min(array(convertPHPSizeToBytes(ini_get('post_max_size')), convertPHPSizeToBytes(ini_get('upload_max_filesize')))));
        $f3->set('maxPage',  ini_get('max_file_uploads') - 1);
        if(!is_dir($f3->get('PDF_STORAGE_PATH').$f3->get('hash'))) {
            $f3->error(404);
        }
        echo View::instance()->render('signature.html.php');
    }
 );
@ -188,7 +192,8 @@ $f3->route('POST /share',
 $f3->route('GET /signature/@hash/pdf',
    function($f3) {
-        $sharingFolder = $f3->get('PDF_STORAGE_PATH').$f3->get('PARAMS.hash');
+        $hash = Web::instance()->slug($f3->get('PARAMS.hash'));
        $sharingFolder = $f3->get('PDF_STORAGE_PATH').$hash;
        $files = scandir($sharingFolder);
        $originalFile = $sharingFolder.'/original.pdf';
        $finalFile = $sharingFolder.'/'.$f3->get('PARAMS.hash').'.pdf';
@ -217,13 +222,13 @@ $f3->route('GET /signature/@hash/pdf',
 $f3->route('POST /signature/@hash/save',
    function($f3) {
-        $sharingFolder = $f3->get('PDF_STORAGE_PATH').$f3->get('PARAMS.hash').'/';
+        $hash = Web::instance()->slug($f3->get('PARAMS.hash'));
        $sharingFolder = $f3->get('PDF_STORAGE_PATH').$hash.'/';
        $f3->set('UPLOADS', $sharingFolder);
        $tmpfile = tempnam($sharingFolder, date('YmdHis'));
        unlink($tmpfile);
        $svgFiles = "";
        $files = Web::instance()->receive(function($file,$formFieldName){
            if($formFieldName == "svg" && strpos(Web::instance()->mime($file['tmp_name'], true), 'image/svg+xml') !== 0) {
                $f3->error(403);
@ -252,7 +257,8 @@ $f3->route('POST /signature/@hash/save',
 $f3->route('GET /signature/@hash/nblayers',
    function($f3) {
-        $files = scandir($f3->get('PDF_STORAGE_PATH').$f3->get('PARAMS.hash'));
+        $hash = Web::instance()->slug($f3->get('PARAMS.hash'));
        $files = scandir($f3->get('PDF_STORAGE_PATH').$hash);
        $nbLayers = 0;
        foreach($files as $file) {
            if(strpos($file, 'svg.pdf') !== false) {