From 232cecc398e5a8cca1721922f53f3b81f16fc6ff Mon Sep 17 00:00:00 2001 From: Christophe HENRY Date: Thu, 18 Mar 2021 21:18:49 +0100 Subject: [PATCH] Enable security on what gmi file the client asks. * checks realPath() against no-existent files, * checks the file suffix '.gmi' * checks the directory belongs to that of the site. --- index.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/index.php b/index.php index e8bf014..a551626 100644 --- a/index.php +++ b/index.php @@ -21,16 +21,26 @@ if (empty($url)) { exit(); } - -# to false only if textDecoration=0 in the URL -$textDecoration = "0" != @$_REQUEST['textDecoration']; +$documentRoot = $_SERVER['DOCUMENT_ROOT']; # Removes the headling and trailling slashes, to be sure there's not any. $filePath = rtrim($_SERVER['DOCUMENT_ROOT'], "/")."/".ltrim($url, "/"); +switch(true) { + case false: + case !realPath($filePath): + case !preg_match("/\.gmi$/", $url): # not finishing by .gmi + case strpos($filePath, $documentRoot)!==0: # not in web directory + $go404 = true; + // Says 404 even if the file exists to not give any information. + break; + default: + $go404 = false; +} + /* 404 page */ -if (!file_exists($filePath)) { +if ($go404) { error_log("HtmGem: 404 $url $filePath"); http_response_code(404); $page404 = <<