X-Git-Url: https://git.cweiske.de/surrogator.git/blobdiff_plain/9a2fe7d4d5cee5d9c6435f1d8e173c1a54203906..HEAD:/www/avatar.php diff --git a/www/avatar.php b/www/avatar.php index bf2b9bc..e20ddda 100644 --- a/www/avatar.php +++ b/www/avatar.php @@ -10,7 +10,7 @@ * @package Surrogator * @author Christian Weiske * @license http://www.gnu.org/licenses/agpl.html AGPLv3 or later - * @link http://git.cweiske.de/?p=surrogator.git + * @link https://sourceforge.net/p/surrogator/ */ namespace surrogator; $cfgFile = __DIR__ . '/../data/surrogator.config.php'; @@ -19,8 +19,8 @@ if (!file_exists($cfgFile)) { if (!file_exists($cfgFile)) { err( 500, - "Configuration file does not exist.\n" - . "Copy data/surrogator.config.php.dist to data/surrogator.config.php" + "Configuration file does not exist.", + "Copy data/surrogator.config.php.dist to data/surrogator.config.php" ); exit(2); } @@ -35,11 +35,11 @@ require $cfgFile; * * @return void */ -function err($statusCode, $msg) +function err($statusCode, $msg, $more = '') { header('HTTP/1.0 ' . $statusCode . ' ' . $msg); header('Content-Type: text/plain'); - echo $msg . "\n"; + echo $msg . "\n" . $more; exit(1); } @@ -96,7 +96,19 @@ if (isset($_GET['default'])) { //url $defaultMode = 'redirect'; $default = $_GET['default']; - //FIXME: validate? + + $allowed = false; + foreach ($trustedDefaultUrls ?? [] as $urlPrefix) { + if (substr($default, 0, strlen($urlPrefix)) == $urlPrefix) { + $allowed = true; + break; + } + } + if (!$allowed) { + header('X-Info: default parameter URL not allowed'); + $defaultMode = 'local'; + $default = 'default.png'; + } } } @@ -149,4 +161,4 @@ header('Content-Type: image/png'); header('Content-Length:' . $stat['size']); readfile($imgFile); -?> \ No newline at end of file +?>