Add composer.json so we can validate php extension requirements

[surrogator.git] / www / avatar.php

diff --git a/www/avatar.php b/www/avatar.php
index 09bf19711504f21d2e2bed8fae2fe41a42d98da0..e20ddda763d5146881527b0bf178c8c4daef5bcc 100644 (file)
--- a/www/avatar.php
+++ b/www/avatar.php
@@ -19,8 +19,8 @@ if (!file_exists($cfgFile)) {
     if (!file_exists($cfgFile)) {
         err(
             500,
-            "Configuration file does not exist.\n"
-            . "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
+            "Configuration file does not exist.",
+            "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
         );
         exit(2);
     }
@@ -35,11 +35,11 @@ require $cfgFile;
  *
  * @return void
  */
-function err($statusCode, $msg)
+function err($statusCode, $msg, $more = '')
 {
     header('HTTP/1.0 ' . $statusCode . ' ' . $msg);
     header('Content-Type: text/plain');
-    echo $msg . "\n";
+    echo $msg . "\n" . $more;
     exit(1);
 }
 
@@ -96,7 +96,19 @@ if (isset($_GET['default'])) {
         //url
         $defaultMode = 'redirect';
         $default     = $_GET['default'];
-        //FIXME: validate?
+
+        $allowed = false;
+        foreach ($trustedDefaultUrls ?? [] as $urlPrefix) {
+            if (substr($default, 0, strlen($urlPrefix))  == $urlPrefix) {
+                $allowed = true;
+                break;
+            }
+        }
+        if (!$allowed) {
+            header('X-Info: default parameter URL not allowed');
+            $defaultMode = 'local';
+            $default     = 'default.png';
+        }
     }
 }
 
@@ -149,4 +161,4 @@ header('Content-Type: image/png');
 header('Content-Length:' . $stat['size']);
 
 readfile($imgFile);
-?>
\ No newline at end of file
+?>