asset.php: check access

6 years ago · 12b0a0e4e3
2 changed files with 25 additions and 2 deletions
--- a/asset.php
+++ b/asset.php
@ -16,8 +16,15 @@ $repoData = $allRepositories[$repoId];
 $repo = getRepo($repoId, $repoData);

 $tmpfile = tempnam('/tmp', 'osb-asset-');
-file_put_contents($tmpfile, $repo->file_get_contents($_REQUEST['file']));
+$contents = $repo->file_get_contents($_REQUEST['file']);
+
+if ($contents === false) {
+  Header("HTTP/1.1 401 Permission denied");
+  exit(0);
+}
+
+file_put_contents($tmpfile, $contents);
 $mime_type = mime_content_type($tmpfile);

 Header("Content-Type: {$mime_type}; charset=utf-8");
-readfile($tmpfile);
+print $contents;
--- a/src/RepositoryDir.php
+++ b/src/RepositoryDir.php
@ -38,15 +38,31 @@ class RepositoryDir extends RepositoryBase {
    return $data;
  }

+  function access ($file) {
+    return (substr($file, 0, 1) !== '.' && !preg_match('/\/\./', $file));
+  }
+
  function scandir($path="") {
+    if (!$this->access($path)) {
+      return false;
+    }
+
    return scandir("{$this->path}/{$path}");
  }

  function file_get_contents ($file) {
+    if (!$this->access($file)) {
+      return false;
+    }
+
    return file_get_contents("{$this->path}/{$file}");
  }

  function file_put_contents ($file, $content) {
+    if (!$this->access($file)) {
+      return false;
+    }
+
    return file_put_contents("{$this->path}/{$file}", $content);
  }
 }