<?php
+/**
+ * Script that handles avatar image requests.
+ *
+ * Part of Surrogator - a simple libravatar avatar image server.
+ *
+ * PHP version 5
+ *
+ * @category Tools
+ * @package Surrogator
+ * @author Christian Weiske <cweiske@cweiske.de>
+ * @license http://www.gnu.org/licenses/agpl.html AGPLv3 or later
+ * @link https://sourceforge.net/p/surrogator/
+ */
namespace surrogator;
-
$cfgFile = __DIR__ . '/../data/surrogator.config.php';
if (!file_exists($cfgFile)) {
$cfgFile = '/etc/surrogator.config.php';
if (!file_exists($cfgFile)) {
err(
500,
- "Configuration file does not exist.\n"
- . "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
+ "Configuration file does not exist.",
+ "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
);
exit(2);
}
}
require $cfgFile;
-function err($statusCode, $msg)
+/**
+ * Send an error message out.
+ *
+ * @param integer $statusCode HTTP status code
+ * @param string $msg Error message
+ *
+ * @return void
+ */
+function err($statusCode, $msg, $more = '')
{
header('HTTP/1.0 ' . $statusCode . ' ' . $msg);
header('Content-Type: text/plain');
- echo $msg . "\n";
+ echo $msg . "\n" . $more;
exit(1);
}
if ($_GET['default'] == '404') {
$defaultMode = '404';
$default = '404';
+ } else if ($_GET['default'] == 'mm') {
+ //mystery man fallback image
+ $defaultMode = 'local';
+ $default = 'mm.png';
} else {
- //FIXME: support mm
//local default image
$defaultMode = 'local';
$default = 'default.png';
//url
$defaultMode = 'redirect';
$default = $_GET['default'];
- //FIXME: validate?
+
+ $allowed = false;
+ foreach ($trustedDefaultUrls ?? [] as $urlPrefix) {
+ if (substr($default, 0, strlen($urlPrefix)) == $urlPrefix) {
+ $allowed = true;
+ break;
+ }
+ }
+ if (!$allowed) {
+ header('X-Info: default parameter URL not allowed');
+ $defaultMode = 'local';
+ $default = 'default.png';
+ }
}
}
header('Content-Length:' . $stat['size']);
readfile($imgFile);
-?>
\ No newline at end of file
+?>