X-Git-Url: https://git.cweiske.de/surrogator.git/blobdiff_plain/450b7bd52a3f1424699540dfcbb30703def67a00..HEAD:/www/avatar.php?ds=sidebyside

diff --git a/www/avatar.php b/www/avatar.php
index 9a17a33..e20ddda 100644
--- a/www/avatar.php
+++ b/www/avatar.php
@@ -1,25 +1,45 @@
 <?php
+/**
+ * Script that handles avatar image requests.
+ *
+ * Part of Surrogator - a simple libravatar avatar image server.
+ *
+ * PHP version 5
+ *
+ * @category Tools
+ * @package  Surrogator
+ * @author   Christian Weiske <cweiske@cweiske.de>
+ * @license  http://www.gnu.org/licenses/agpl.html AGPLv3 or later
+ * @link     https://sourceforge.net/p/surrogator/
+ */
 namespace surrogator;
-
 $cfgFile = __DIR__ . '/../data/surrogator.config.php';
 if (!file_exists($cfgFile)) {
     $cfgFile = '/etc/surrogator.config.php';
     if (!file_exists($cfgFile)) {
         err(
             500,
-            "Configuration file does not exist.\n"
-            . "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
+            "Configuration file does not exist.",
+            "Copy data/surrogator.config.php.dist to data/surrogator.config.php"
         );
         exit(2);
     }
 }
 require $cfgFile;
 
-function err($statusCode, $msg)
+/**
+ * Send an error message out.
+ *
+ * @param integer $statusCode HTTP status code
+ * @param string  $msg        Error message
+ *
+ * @return void
+ */
+function err($statusCode, $msg, $more = '')
 {
     header('HTTP/1.0 ' . $statusCode . ' ' . $msg);
     header('Content-Type: text/plain');
-    echo $msg . "\n";
+    echo $msg . "\n" . $more;
     exit(1);
 }
 
@@ -63,8 +83,11 @@ if (isset($_GET['default'])) {
         if ($_GET['default'] == '404') {
             $defaultMode = '404';
             $default     = '404';
+        } else if ($_GET['default'] == 'mm') {
+            //mystery man fallback image
+            $defaultMode = 'local';
+            $default     = 'mm.png';
         } else {
-            //FIXME: support mm
             //local default image
             $defaultMode = 'local';
             $default     = 'default.png';
@@ -73,7 +96,19 @@ if (isset($_GET['default'])) {
         //url
         $defaultMode = 'redirect';
         $default     = $_GET['default'];
-        //FIXME: validate?
+
+        $allowed = false;
+        foreach ($trustedDefaultUrls ?? [] as $urlPrefix) {
+            if (substr($default, 0, strlen($urlPrefix))  == $urlPrefix) {
+                $allowed = true;
+                break;
+            }
+        }
+        if (!$allowed) {
+            header('X-Info: default parameter URL not allowed');
+            $defaultMode = 'local';
+            $default     = 'default.png';
+        }
     }
 }
 
@@ -126,4 +161,4 @@ header('Content-Type: image/png');
 header('Content-Length:' . $stat['size']);
 
 readfile($imgFile);
-?>
\ No newline at end of file
+?>