From 12b0a0e4e3e15044d287e79191b4e521e4d97d91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20B=C3=B6sch-Plepelits?= <skunk@xover.mud.at>
Date: Mon, 22 Jan 2018 21:53:35 +0100
Subject: [PATCH] asset.php: check access

---
 asset.php             | 11 +++++++++--
 src/RepositoryDir.php | 16 ++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/asset.php b/asset.php
index 4e5b2b77..fcb44777 100644
--- a/asset.php
+++ b/asset.php
@@ -16,8 +16,15 @@ $repoData = $allRepositories[$repoId];
 $repo = getRepo($repoId, $repoData);
 
 $tmpfile = tempnam('/tmp', 'osb-asset-');
-file_put_contents($tmpfile, $repo->file_get_contents($_REQUEST['file']));
+$contents = $repo->file_get_contents($_REQUEST['file']);
+
+if ($contents === false) {
+  Header("HTTP/1.1 401 Permission denied");
+  exit(0);
+}
+
+file_put_contents($tmpfile, $contents);
 $mime_type = mime_content_type($tmpfile);
 
 Header("Content-Type: {$mime_type}; charset=utf-8");
-readfile($tmpfile);
+print $contents;
diff --git a/src/RepositoryDir.php b/src/RepositoryDir.php
index 5ec2d7ee..e7d28590 100644
--- a/src/RepositoryDir.php
+++ b/src/RepositoryDir.php
@@ -38,15 +38,31 @@ class RepositoryDir extends RepositoryBase {
     return $data;
   }
 
+  function access ($file) {
+    return (substr($file, 0, 1) !== '.' && !preg_match('/\/\./', $file));
+  }
+
   function scandir($path="") {
+    if (!$this->access($path)) {
+      return false;
+    }
+
     return scandir("{$this->path}/{$path}");
   }
 
   function file_get_contents ($file) {
+    if (!$this->access($file)) {
+      return false;
+    }
+
     return file_get_contents("{$this->path}/{$file}");
   }
 
   function file_put_contents ($file, $content) {
+    if (!$this->access($file)) {
+      return false;
+    }
+
     return file_put_contents("{$this->path}/{$file}", $content);
   }
 }