diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-04-07 08:47:42 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-04-07 08:47:42 +0200 |
| commit | 0c33d2713957eaf6cc0222150df7ebbcb53beaed (patch) | |
| tree | a9a011c370e2d8ecf3c3290dfb1afd86c9cea0bc /p/ext.php | |
| parent | d3d9acca9f905fc03d6151f6ad75567256310831 (diff) | |
Secure serving of user files from extensions (#7495)
* Secure serving of user files from extensions
fix https://github.com/FreshRSS/FreshRSS/issues/4930
* More fixes
* Typo
Diffstat (limited to 'p/ext.php')
| -rw-r--r-- | p/ext.php | 44 |
1 files changed, 8 insertions, 36 deletions
@@ -2,42 +2,21 @@ declare(strict_types=1); require(__DIR__ . '/../constants.php'); -// Supported types with their associated content type -const SUPPORTED_TYPES = [ - 'css' => 'text/css; charset=UTF-8', - 'js' => 'application/javascript; charset=UTF-8', - 'png' => 'image/png', - 'jpeg' => 'image/jpeg', - 'jpg' => 'image/jpeg', - 'gif' => 'image/gif', - 'svg' => 'image/svg+xml', -]; - function get_absolute_filename(string $file_name): string { $core_extension = realpath(CORE_EXTENSIONS_PATH . '/' . $file_name); if (false !== $core_extension) { return $core_extension; } - $extension = realpath(EXTENSIONS_PATH . '/' . $file_name); - if (false !== $extension) { - return $extension; - } - $third_party_extension = realpath(THIRDPARTY_EXTENSIONS_PATH . '/' . $file_name); if (false !== $third_party_extension) { return $third_party_extension; } - $user = realpath(USERS_PATH . '/' . $file_name); - if (false !== $user) { - return $user; - } - return ''; } -function is_valid_path_extension(string $path, string $extensionPath, bool $isStatic = true): bool { +function is_valid_path_extension(string $path, string $extensionPath): bool { // It must be under the extension path. $real_ext_path = realpath($extensionPath); if ($real_ext_path == false) { @@ -53,11 +32,6 @@ function is_valid_path_extension(string $path, string $extensionPath, bool $isSt return false; } - // User files do not need further validations - if (!$isStatic) { - return true; - } - // Static files to serve must be under a `ext_dir/static/` directory. $path_relative_to_ext = substr($path, strlen($real_ext_path) + 1); [, $static, $file] = sscanf($path_relative_to_ext, '%[^/]/%[^/]/%s') ?? [null, null, null]; @@ -78,28 +52,26 @@ function is_valid_path_extension(string $path, string $extensionPath, bool $isSt * @return bool true if it can be served, false otherwise. */ function is_valid_path(string $path): bool { - return is_valid_path_extension($path, CORE_EXTENSIONS_PATH) || is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH) - || is_valid_path_extension($path, USERS_PATH, false); + return is_valid_path_extension($path, CORE_EXTENSIONS_PATH) || is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH); } function sendBadRequestResponse(?string $message = null): never { header('HTTP/1.1 400 Bad Request'); - die($message); + die($message ?? 'Bad Request!'); } function sendNotFoundResponse(): never { header('HTTP/1.1 404 Not Found'); - die(); + die('Not Found!'); } -if (!isset($_GET['f'], $_GET['t']) || !is_string($_GET['f']) || !is_string($_GET['t'])) { +if (!is_string($_GET['f'] ?? null)) { sendBadRequestResponse('Query string is incomplete.'); } $file_name = urldecode($_GET['f']); -$file_type = $_GET['t']; -if (empty(SUPPORTED_TYPES[$file_type]) || - empty(SUPPORTED_TYPES[pathinfo($file_name, PATHINFO_EXTENSION)])) { +$file_type = pathinfo($file_name, PATHINFO_EXTENSION); +if (empty(FreshRSS_extension_Controller::MIME_TYPES[$file_type])) { sendBadRequestResponse('File type is not supported.'); } @@ -113,7 +85,7 @@ if (!is_valid_path($absolute_filename)) { sendBadRequestResponse('File is not supported.'); } -$content_type = SUPPORTED_TYPES[$file_type]; +$content_type = FreshRSS_extension_Controller::MIME_TYPES[$file_type]; header("Content-Type: {$content_type}"); header("Content-Disposition: inline; filename='{$file_name}'"); header('Referrer-Policy: same-origin'); |