From 19d26f57562cd7b755f22ecdc76b0dadb30a2919 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Tue, 12 Jan 2016 15:38:49 +0100 Subject: separate between trusted and untrusted input, correct crcs of remote resources, report non-existing trusted resources --- itjs.class | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'itjs.class') diff --git a/itjs.class b/itjs.class index 18c7a18..2be3842 100644 --- a/itjs.class +++ b/itjs.class @@ -112,6 +112,9 @@ static function encode($values) return $result; } +/** + * Convert UNTRUSTED comma separated filelist string to trusted local filenames. Missing files are ignored. + */ static function filenames($filelist) { $result = array(); @@ -133,7 +136,7 @@ static function filenames($filelist) $filenames = $special[$file] ?: (file_exists("$local/$file") ? "$local/$file" : "$libsearch/itjs/$file"); foreach (explode(",", $filenames) as $filename) - if (!$seen[$filename]++) + if (!$seen[$filename]++ && file_exists($filename)) $result[] = $filename; } @@ -141,7 +144,7 @@ static function filenames($filelist) } /** - * Return (php-interpreted by default) files that will be sent to client + * Return (php-interpreted by default) files that will be sent to client. Files must exist. */ static function filecontents($filenames, $execphp = true) { @@ -154,8 +157,7 @@ static function filecontents($filenames, $execphp = true) list($filename, $paramstr) = explode("?", $filename); if ($paramstr && $execphp) parse_str($paramstr, $_GET); - if (file_exists($filename)) - $result .= it::replace(array('^1$' => ""), $execphp ? include($filename) : file_get_contents($filename), array('utf8' => false)); + $result .= it::replace(array('^1$' => ""), $execphp ? include($filename) : file_get_contents($filename), array('utf8' => false)); $_GET = $origget; } $result .= ob_get_clean(); @@ -185,14 +187,19 @@ static function strip($code) /** * Compute checksum for list of files - * @param $fnlist Either comma separated url or array of filenames to calculate checksum for + * @param $fnlist Either comma separated UNTRUSTED url (will check itjs/ and lib.search.ch/itjs/) or array of TRUSTED filenames * @return Checksum for given files */ static function checksum($fnlist, $p = array()) { $p += array('short_expire' => true); - $filenames = array_merge(itjs::filenames(join(",", (array)$fnlist)), array("/www/lib.search.ch/var/jquery-ui/dist/minified/jquery.ui.core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); # jquery files included by lib/jquery.js + foreach (is_array($fnlist) ? $fnlist : itjs::filenames($fnlist) as $filename) + $filenames[] = !file_exists($filename) && file_exists($t = it::replace(array('^/www/[^/]*' => "/www/lib.search.ch"), $filename)) ? $t : $filename; + + if (preg_grep('/jquery(build)\.js/', $filenames)) # jquery files may be included invisibly + $filenames = array_merge($filenames, array("/www/lib.search.ch/var/jquery-ui/dist/minified/core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); + $key = "itjs_" . md5(join("", it::map('"$v" . @filemtime("$v")', $filenames))); if ($p['short_expire'] && (time() - max(@array_map('filemtime', $filenames)) < 60)) @@ -201,6 +208,9 @@ static function checksum($fnlist, $p = array()) return it_cache::get($key) ?: it_cache::put($key, substr(md5(self::filecontents($filenames, false)), 0, 10), array('ttl' => 60)); } +/** + * Convert url or TRUSTED local path to url that triggers far future expire by appending c=checksum + */ function crcurl($url, $p = array()) { if (it::match('^http', $url)) # remote url, must fetch to crc -- cgit v1.2.3 From 9c14abfe4a94c03c6b4df26fb0e3d1c4350293bd Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Wed, 13 Jan 2016 13:44:46 +0100 Subject: handle empty filelist, handle scripts with query-args --- itjs.class | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'itjs.class') diff --git a/itjs.class b/itjs.class index 2be3842..715247c 100644 --- a/itjs.class +++ b/itjs.class @@ -133,7 +133,7 @@ static function filenames($filelist) foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file) # split by comma but ignore illegal chars { - $filenames = $special[$file] ?: (file_exists("$local/$file") ? "$local/$file" : "$libsearch/itjs/$file"); + $filenames = $special[$file] ?: (file_exists("$local/" . it::match('[^?]*', $file)) ? "$local/$file" : "$libsearch/itjs/$file"); foreach (explode(",", $filenames) as $filename) if (!$seen[$filename]++ && file_exists($filename)) @@ -194,6 +194,7 @@ static function checksum($fnlist, $p = array()) { $p += array('short_expire' => true); + $filenames = array(); foreach (is_array($fnlist) ? $fnlist : itjs::filenames($fnlist) as $filename) $filenames[] = !file_exists($filename) && file_exists($t = it::replace(array('^/www/[^/]*' => "/www/lib.search.ch"), $filename)) ? $t : $filename; @@ -202,9 +203,9 @@ static function checksum($fnlist, $p = array()) $key = "itjs_" . md5(join("", it::map('"$v" . @filemtime("$v")', $filenames))); - if ($p['short_expire'] && (time() - max(@array_map('filemtime', $filenames)) < 60)) + if ($filenames && $p['short_expire'] && (time() - max(@array_map('filemtime', $filenames)) < 60)) return "-"; # trigger short expire, our file may not yet be up to date on other slaves - else + else if ($filenames) return it_cache::get($key) ?: it_cache::put($key, substr(md5(self::filecontents($filenames, false)), 0, 10), array('ttl' => 60)); } -- cgit v1.2.3 From 14a2baa53b557c22d6fe4abca6864699c3161b72 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Wed, 13 Jan 2016 13:57:58 +0100 Subject: bugfix: need to omit query everywhere --- itjs.class | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'itjs.class') diff --git a/itjs.class b/itjs.class index 715247c..45b68de 100644 --- a/itjs.class +++ b/itjs.class @@ -136,7 +136,7 @@ static function filenames($filelist) $filenames = $special[$file] ?: (file_exists("$local/" . it::match('[^?]*', $file)) ? "$local/$file" : "$libsearch/itjs/$file"); foreach (explode(",", $filenames) as $filename) - if (!$seen[$filename]++ && file_exists($filename)) + if (!$seen[$filename]++ && file_exists(it::match('[^?]*', $filename))) $result[] = $filename; } -- cgit v1.2.3 From 9fe04aea4c1b245a8f8750729df826b82bdedde4 Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Wed, 13 Jan 2016 14:19:35 +0100 Subject: Anchor regex for my peace of mind --- itjs.class | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'itjs.class') diff --git a/itjs.class b/itjs.class index 45b68de..0a57465 100644 --- a/itjs.class +++ b/itjs.class @@ -133,10 +133,10 @@ static function filenames($filelist) foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file) # split by comma but ignore illegal chars { - $filenames = $special[$file] ?: (file_exists("$local/" . it::match('[^?]*', $file)) ? "$local/$file" : "$libsearch/itjs/$file"); + $filenames = $special[$file] ?: (file_exists("$local/" . it::match('^[^?]*', $file)) ? "$local/$file" : "$libsearch/itjs/$file"); foreach (explode(",", $filenames) as $filename) - if (!$seen[$filename]++ && file_exists(it::match('[^?]*', $filename))) + if (!$seen[$filename]++ && file_exists(it::match('^[^?]*', $filename))) $result[] = $filename; } -- cgit v1.2.3