1 files changed, 36 insertions, 42 deletions

diff --git a/p/ext.php b/p/ext.php
index f3b7b6a9e..471471ed5 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -1,12 +1,18 @@
 <?php
-if (!isset($_GET['f']) ||
-		!isset($_GET['t'])) {
-	header('HTTP/1.1 400 Bad Request');
-	die();
-}
 
 require(__DIR__ . '/../constants.php');
 
+// Supported types with their associated content type
+const SUPPORTED_TYPES = [
+	'css' => 'text/css; charset=UTF-8',
+	'js' => 'application/javascript; charset=UTF-8',
+	'png' => 'image/png',
+	'jpeg' => 'image/jpeg',
+	'jpg' => 'image/jpeg',
+	'gif' => 'image/gif',
+	'svg' => 'image/svg+xml',
+];
+
 function is_valid_path_extension($path, $extensionPath) {
 	// It must be under the extension path.
 	$real_ext_path = realpath($extensionPath);
@@ -22,8 +28,8 @@ function is_valid_path_extension($path, $extensionPath) {
 
 	// File to serve must be under a `ext_dir/static/` directory.
 	$path_relative_to_ext = substr($path, strlen($real_ext_path) + 1);
-	$path_splitted = explode('/', $path_relative_to_ext);
-	if (count($path_splitted) < 3 || $path_splitted[1] !== 'static') {
+	list(,$static,$file) = sscanf($path_relative_to_ext, '%[^/]/%[^/]/%s');
+	if (null === $file || 'static' !== $static) {
 		return false;
 	}
 
@@ -44,51 +50,39 @@ function is_valid_path($path) {
 	return is_valid_path_extension($path, CORE_EXTENSIONS_PATH) || is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH);
 }
 
+function sendBadRequestResponse(string $message = null) {
+	header('HTTP/1.1 400 Bad Request');
+	die($message);
+}
+
+function sendNotFoundResponse() {
+	header('HTTP/1.1 404 Not Found');
+	die();
+}
+
+if (!isset($_GET['f']) ||
+	!isset($_GET['t'])) {
+	sendBadRequestResponse('Query string is incomplete.');
+}
+
 $file_name = urldecode($_GET['f']);
 $file_type = $_GET['t'];
+if (empty(SUPPORTED_TYPES[$file_type])) {
+	sendBadRequestResponse('File type is not supported.');
+}
 
 $absolute_filename = realpath(EXTENSIONS_PATH . '/' . $file_name);
-
 if (!is_valid_path($absolute_filename)) {
-	header('HTTP/1.1 400 Bad Request');
-	die();
+	sendBadRequestResponse('File is not supported.');
 }
 
-switch ($file_type) {
-case 'css':
-	header('Content-Type: text/css; charset=UTF-8');
-	header('Content-Disposition: inline; filename="' . $file_name . '"');
-	break;
-case 'js':
-	header('Content-Type: application/javascript; charset=UTF-8');
-	header('Content-Disposition: inline; filename="' . $file_name . '"');
-	break;
-case 'png':
-	header('Content-Type: image/png');
-	header('Content-Disposition: inline; filename="' . $file_name . '"');
-	break;
-case 'jpeg':
-case 'jpg':
-	header('Content-Type: image/jpeg');
-	header('Content-Disposition: inline; filename="' . $file_name . '"');
-	break;
-case 'gif':
-	header('Content-Type: image/gif');
-	header('Content-Disposition: inline; filename="' . $file_name . '"');
-	break;
-case 'svg':
-	header('Content-Type: image/svg+xml');
-	header('Content-Disposition: inline; filename="' . $file_name . '"');
-	break;
-default:
-	header('HTTP/1.1 400 Bad Request');
-	die();
-}
+$content_type = SUPPORTED_TYPES[$file_type];
+header("Content-Type: {$content_type}");
+header("Content-Disposition: inline; filename='{$file_name}'");
 
 $mtime = @filemtime($absolute_filename);
 if ($mtime === false) {
-	header('HTTP/1.1 404 Not Found');
-	die();
+	sendNotFoundResponse();
 }
 
 require(LIB_PATH . '/http-conditional.php');