pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2025-01-19 08:57:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

var/www/pages/index.php : comments

Browse source
This commit is contained in:
codeberg.org 2020-05-04 22:24:56 +02:00
parent 43df6cdf2a
commit 0df931d3ee
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
var/www/pages/index.php
View file

@ -29,6 +29,7 @@ if ($request_url === "/") {
"); ");
} }
# Restrict allowed characters in request URI:
if (preg_match("/^\/[a-zA-Z0-9_ +\-\/\.]+\$/", $request_url) != 1) { if (preg_match("/^\/[a-zA-Z0-9_ +\-\/\.]+\$/", $request_url) != 1) {
send_response(404, "invalid request URL"); send_response(404, "invalid request URL");
} }
@ -39,10 +40,12 @@ array_shift($parts); # remove empty first
$owner = strtolower(array_shift($parts)); $owner = strtolower(array_shift($parts));
$git_root = realpath("$git_prefix/$owner/pages.git"); $git_root = realpath("$git_prefix/$owner/pages.git");
# Ensure that only files within the user's pages repository are accessed:
if (substr($git_root, 0, strlen($git_prefix)) !== $git_prefix) { if (substr($git_root, 0, strlen($git_prefix)) !== $git_prefix) {
send_response(404, "this user/organization does not have codeberg pages"); send_response(404, "this user/organization does not have codeberg pages");
} }
# If URL ends on "/", last entry in array is empty. Remove it:
if (end($parts) === "") { if (end($parts) === "") {
array_pop($parts); array_pop($parts);
} }