SeaCMS
/
pico
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replace Pico::discoverRequestFile() with public Pico::resolveFilePath()

Browse Source 
This allows plugins (e.g. PicoAdmin) to safely resolve file paths without the need of re-implementing the method.
pico-3.0-alpha
Daniel Rudolf 9 years ago
parent e27be7a80f
commit 21bd18bcf0
No known key found for this signature in database
GPG Key ID: A061F02CD8DE4538
1 changed files with 24 additions and 21 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 45
      lib/Pico.php

45
lib/Pico.php
Unescape View File

@ -308,7 +308,7 @@ class Pico
$this->triggerEvent('onRequestUrl', array(&$this->requestUrl));
// discover requested file
$this->discoverRequestFile();
$this->requestFile = $this->resolveFilePath($this->requestUrl);
$this->triggerEvent('onRequestFile', array(&$this->requestFile));
// load raw file content
@ -735,24 +735,29 @@ class Pico
}
/**
* Uses the request URL to discover the content file to serve
* Resolves a given file path to its corresponding content file
*
* This method also prevents `content_dir` breakouts using malicious
* request URLs. We don't use `realpath()`, because we neither want to
* check for file existance, nor prohibit symlinks which intentionally
* point to somewhere outside the `content_dir` folder. It is STRONGLY
* RECOMMENDED to use PHP's `open_basedir` feature - always, not just
* with Pico!
*
* @see Pico::getRequestFile()
* @return void
* @param string $requestUrl path name (likely from a URL) to resolve
* @return string path to the resolved content file
*/
protected function discoverRequestFile()
public function resolveFilePath($requestUrl)
{
$contentDir = $this->getConfig('content_dir');
$contentExt = $this->getConfig('content_ext');
if (empty($this->requestUrl)) {
$this->requestFile = $contentDir . 'index' . $contentExt;
if (empty($requestUrl)) {
return $contentDir . 'index' . $contentExt;
} else {
// prevent content_dir breakouts using malicious request URLs
// we don't use realpath() here because we neither want to check for file existance
// nor prohibit symlinks which intentionally point to somewhere outside the content_dir
// it is STRONGLY RECOMMENDED to use open_basedir - always, not just with Pico!
$requestUrl = str_replace('\\', '/', $this->requestUrl);
// prevent content_dir breakouts
$requestUrl = str_replace('\\', '/', $requestUrl);
$requestUrlParts = explode('/', $requestUrl);
$requestFileParts = array();
@ -768,31 +773,29 @@ class Pico
}
if (empty($requestFileParts)) {
$this->requestFile = $contentDir . 'index' . $contentExt;
return;
return $contentDir . 'index' . $contentExt;
}
// discover the content file to serve
// Note: $requestFileParts neither contains a trailing nor a leading slash
$this->requestFile = $contentDir . implode('/', $requestFileParts);
if (is_dir($this->requestFile)) {
$requestFile = $contentDir . implode('/', $requestFileParts);
if (is_dir($requestFile)) {
// if no index file is found, try a accordingly named file in the previous dir
// if this file doesn't exist either, show the 404 page, but assume the index
// file as being requested (maintains backward compatibility to Pico < 1.0)
$indexFile = $this->requestFile . '/index' . $contentExt;
if (file_exists($indexFile) || !file_exists($this->requestFile . $contentExt)) {
$this->requestFile = $indexFile;
return;
$indexFile = $requestFile . '/index' . $contentExt;
if (file_exists($indexFile) || !file_exists($requestFile . $contentExt)) {
return $indexFile;
}
}
$this->requestFile .= $contentExt;
return $requestFile . $contentExt;
}
}
/**
* Returns the absolute path to the content file to serve
*
* @see Pico::discoverRequestFile()
* @see Pico::resolveFilePath()
* @return string|null file path
*/
public function getRequestFile()

Write Preview
Loading…
Cancel
Save