if (!file_exists($cfgFile)) {
err(
500,
- "Configuration file does not exist.\n"
- . "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
+ "Configuration file does not exist.",
+ "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
);
exit(2);
}
*
* @return void
*/
-function err($statusCode, $msg)
+function err($statusCode, $msg, $more = '')
{
header('HTTP/1.0 ' . $statusCode . ' ' . $msg);
header('Content-Type: text/plain');
- echo $msg . "\n";
+ echo $msg . "\n" . $more;
exit(1);
}
//url
$defaultMode = 'redirect';
$default = $_GET['default'];
- //FIXME: validate?
+
+ $allowed = false;
+ foreach ($trustedDefaultUrls ?? [] as $urlPrefix) {
+ if (substr($default, 0, strlen($urlPrefix)) == $urlPrefix) {
+ $allowed = true;
+ break;
+ }
+ }
+ if (!$allowed) {
+ header('X-Info: default parameter URL not allowed');
+ $defaultMode = 'local';
+ $default = 'default.png';
+ }
}
}
header('Content-Length:' . $stat['size']);
readfile($imgFile);
-?>
\ No newline at end of file
+?>