summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAaron Ball <nullspoon@oper.io>2018-11-03 18:30:42 -0600
committerAaron Ball <nullspoon@oper.io>2018-11-03 18:30:42 -0600
commit72586d057907e070120a25928c650ac80e457f66 (patch)
treeaecc2f06aeaba9d62a8387b22bc84e7ac4eee63a
parentadd42514d3bf1a15d9f70df95d0fb46d4c2d5859 (diff)
downloadoper.io-72586d057907e070120a25928c650ac80e457f66.tar.gz
oper.io-72586d057907e070120a25928c650ac80e457f66.tar.xz
index.php:Security and update logic for printing header
Added check for page name first char. If is '.' or '/', return a 404 no matter what. This should help prevent people from putting in filenames with paths in them. Also made header (h1) printing occur for all pages by making default post name 'index' for when no post name is specified.
-rwxr-xr-xindex.php11
1 files changed, 7 insertions, 4 deletions
diff --git a/index.php b/index.php
index 73582ea..9fab2d8 100755
--- a/index.php
+++ b/index.php
@@ -16,9 +16,12 @@ if($_GET['p'] != '') {
// and ../) to prevent people from abusing the query string.
$post = basename($post);
-if($post == "" && file_exists('html/index.html')) {
- // if a post isn't specified
- print(file_get_contents('html/index.html'));
+// If post is not specified, default to 'index'
+if($post == '') { $post = "index"; }
+
+if($post[0] == '.' || $post[0] == '/') {
+ // Prevent access to any pages starting with '.' or '/'
+ print("<p>Error: the page you have requested does not exist.</p>");
} elseif(file_exists('html/' . $post . '.html')) {
// Get the first line
$f = fopen('posts/' . $post . '.adoc', 'r');
@@ -30,7 +33,7 @@ if($post == "" && file_exists('html/index.html')) {
// Get and print post body
print(file_get_contents('html/' . $post . '.html'));
} else {
- print("Error: the page you have requested does not exist.");
+ print("<p>Error: the page you have requested does not exist.</p>");
}
print(file_get_contents('res/footer.html'));

Generated by cgit