diff options
| author | Urban Müller | 2016-01-12 15:38:49 +0100 |
|---|---|---|
| committer | Urban Müller | 2016-01-12 15:45:01 +0100 |
| commit | f1fb76db297970327fccc0e2ecdc4642bc2df748 (patch) | |
| tree | d4ce31ea82abbc3e4732300e66751bfe156b890a /itjs.class | |
| parent | 7c4ad5b54006acc27b6dc22d3d746d15a2d14520 (diff) | |
| download | itools-f1fb76db297970327fccc0e2ecdc4642bc2df748.tar.gz itools-f1fb76db297970327fccc0e2ecdc4642bc2df748.tar.bz2 itools-f1fb76db297970327fccc0e2ecdc4642bc2df748.zip | |
separate between trusted and untrusted input, correct crcs of remote resources, report non-existing trusted resources
Diffstat (limited to 'itjs.class')
| -rw-r--r-- | itjs.class | 22 |
1 files changed, 16 insertions, 6 deletions
@@ -112,6 +112,9 @@ static function encode($values) return $result; } +/** + * Convert UNTRUSTED comma separated filelist string to trusted local filenames. Missing files are ignored. + */ static function filenames($filelist) { $result = array(); @@ -133,7 +136,7 @@ static function filenames($filelist) $filenames = $special[$file] ?: (file_exists("$local/$file") ? "$local/$file" : "$libsearch/itjs/$file"); foreach (explode(",", $filenames) as $filename) - if (!$seen[$filename]++) + if (!$seen[$filename]++ && file_exists($filename)) $result[] = $filename; } @@ -141,7 +144,7 @@ static function filenames($filelist) } /** - * Return (php-interpreted by default) files that will be sent to client + * Return (php-interpreted by default) files that will be sent to client. Files must exist. */ static function filecontents($filenames, $execphp = true) { @@ -154,8 +157,7 @@ static function filecontents($filenames, $execphp = true) list($filename, $paramstr) = explode("?", $filename); if ($paramstr && $execphp) parse_str($paramstr, $_GET); - if (file_exists($filename)) - $result .= it::replace(array('^1$' => ""), $execphp ? include($filename) : file_get_contents($filename), array('utf8' => false)); + $result .= it::replace(array('^1$' => ""), $execphp ? include($filename) : file_get_contents($filename), array('utf8' => false)); $_GET = $origget; } $result .= ob_get_clean(); @@ -185,14 +187,19 @@ static function strip($code) /** * Compute checksum for list of files - * @param $fnlist Either comma separated url or array of filenames to calculate checksum for + * @param $fnlist Either comma separated UNTRUSTED url (will check itjs/ and lib.search.ch/itjs/) or array of TRUSTED filenames * @return Checksum for given files */ static function checksum($fnlist, $p = array()) { $p += array('short_expire' => true); - $filenames = array_merge(itjs::filenames(join(",", (array)$fnlist)), array("/www/lib.search.ch/var/jquery-ui/dist/minified/jquery.ui.core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); # jquery files included by lib/jquery.js + foreach (is_array($fnlist) ? $fnlist : itjs::filenames($fnlist) as $filename) + $filenames[] = !file_exists($filename) && file_exists($t = it::replace(array('^/www/[^/]*' => "/www/lib.search.ch"), $filename)) ? $t : $filename; + + if (preg_grep('/jquery(build)\.js/', $filenames)) # jquery files may be included invisibly + $filenames = array_merge($filenames, array("/www/lib.search.ch/var/jquery-ui/dist/minified/core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); + $key = "itjs_" . md5(join("", it::map('"$v" . @filemtime("$v")', $filenames))); if ($p['short_expire'] && (time() - max(@array_map('filemtime', $filenames)) < 60)) @@ -201,6 +208,9 @@ static function checksum($fnlist, $p = array()) return it_cache::get($key) ?: it_cache::put($key, substr(md5(self::filecontents($filenames, false)), 0, 10), array('ttl' => 60)); } +/** + * Convert url or TRUSTED local path to url that triggers far future expire by appending c=checksum + */ function crcurl($url, $p = array()) { if (it::match('^http', $url)) # remote url, must fetch to crc |