scratch – Diff between revs 66 and 67
?pathlinks?
Rev 66 | Rev 67 | |||
---|---|---|---|---|
Line 4... | Line 4... | |||
4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
|
5 | ########################################################################### |
5 | ########################################################################### |
|
Line 6... | Line 6... | |||
6 | |
6 | |
|
7 | require_once('php/pseudocrypt.php'); |
7 | require_once('php/pseudocrypt.php'); |
|
8 | require_once('php/functions.php'); |
8 | require_once('php/functions.php'); |
|
- | 9 | require_once('vendor/mustangostang/spyc/Spyc.php'); |
||
- | 10 | |
||
- | 11 | ### Load configuration. |
||
Line 9... | Line 12... | |||
9 | require_once('config.php'); |
12 | $config = spyc_load_file('config.yaml'); |
|
10 | |
13 | |
|
11 | if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or |
14 | if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or |
|
12 | !isset($_POST['action']) or empty($_POST['action'])) { |
15 | !isset($_POST['action']) or empty($_POST['action'])) { |
|
Line 38... | Line 41... | |||
38 | hash( |
41 | hash( |
|
39 | 'sha512', |
42 | 'sha512', |
|
40 | $fingerprint |
43 | $fingerprint |
|
41 | ) |
44 | ) |
|
42 | ), |
45 | ), |
|
43 | $ASSET_HASH_SIZE |
46 | $config['ASSET_HASH_SIZE'] |
|
44 | ) |
47 | ) |
|
45 | ); |
48 | ); |
|
Line 46... | Line 49... | |||
46 | |
49 | |
|
47 | #### Build the user path. |
50 | #### Build the user path. |
|
48 | $userPath = join( |
51 | $userPath = join( |
|
49 | DIRECTORY_SEPARATOR, |
52 | DIRECTORY_SEPARATOR, |
|
50 | array( |
53 | array( |
|
51 | $STORE_FOLDER, |
54 | $config['STORE_FOLDER'], |
|
52 | $file |
55 | $file |
|
53 | ) |
56 | ) |
|
Line 54... | Line 57... | |||
54 | ); |
57 | ); |
|
55 | |
58 | |
|
56 | #### Check for path traversals |
59 | #### Check for path traversals |
|
57 | $pathPart = pathinfo($userPath.'.html'); |
60 | $pathPart = pathinfo($userPath.'.html'); |
|
58 | if (strcasecmp( |
61 | if (strcasecmp( |
|
59 | realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
62 | realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
|
60 | header('Internal server error.', true, 500); |
63 | header('Internal server error.', true, 500); |
|
Line 61... | Line 64... | |||
61 | return; |
64 | return; |