Changeset db52218 in github


Ignore:
Timestamp:
Aug 12, 2009 6:44:46 AM (4 years ago)
Author:
thomascube <thomas@…>
Branches:
master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8
Children:
aa38e54
Parents:
7596968
Message:

Improve security of modcss.php by setting timeouts and more sanity checks

File:
1 edited

Legend:

Unmodified
Added
Removed

  • bin/modcss.php

    rf9160ec rdb52218  
    3434} 
    3535 
    36 $url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']); 
     36$url = preg_replace('![^a-z0-9:./\-_?$&=%]!i', '', $_GET['u']); 
    3737if ($url === null) { 
    3838    header('HTTP/1.1 403 Forbidden'); 
     
    4646$path  = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : ''); 
    4747 
    48 if (!($fp = fsockopen($host, $port, $errno, $errstr, 30))) { 
     48// don't allow any other connections than http(s) 
     49if (strtolower(substr($a_uri['scheme'], 0, 4)) != 'http') { 
     50    header('HTTP/1.1 403 Forbidden'); 
     51    echo "Invalid URL"; 
     52    exit; 
     53} 
     54 
     55// try to open socket connection 
     56if (!($fp = fsockopen($host, $port, $errno, $error, 15))) { 
    4957    header('HTTP/1.1 500 Internal Server Error'); 
    5058    echo $error; 
     
    5260} 
    5361 
     62// set timeout for socket 
     63stream_set_timeout($fp, 30); 
     64 
     65// send request 
    5466$out  = "GET $path HTTP/1.0\r\n"; 
    5567$out .= "Host: $host\r\n"; 
     
    5769fwrite($fp, $out); 
    5870 
     71// read response 
    5972$header = true; 
     73$headers = array(); 
    6074while (!feof($fp)) { 
    6175    $line = trim(fgets($fp, 4048)); 
    6276 
    63     if ($header 
    64         && preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs) 
    65         && intval($regs[1]) != 200) { 
    66         break; 
    67     } else if (empty($line) && $header) { 
    68         $header = false; 
    69     } else if (!$header) { 
     77    if ($header) { 
     78        if (preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs) 
     79            && intval($regs[1]) != 200) { 
     80            break; 
     81        } 
     82        else if (empty($line)) { 
     83            $header = false; 
     84        } 
     85        else { 
     86            list($key, $value) = explode(': ', $line); 
     87            $headers[strtolower($key)] = $value; 
     88        } 
     89    } 
     90    else { 
    7091        $source .= "$line\n"; 
    7192    } 
     
    7394fclose($fp); 
    7495 
    75 if (!empty($source)) { 
     96// check content-type header and mod styles 
     97$mimetype = strtolower($headers['content-type']); 
     98if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) { 
    7699    header('Content-Type: text/css'); 
    77     echo rcmail_mod_css_styles( 
    78         $source, 
    79         preg_replace('/[^a-z0-9]/i', '', $_GET['c']), 
    80         $url 
    81     ); 
     100    echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c'])); 
    82101    exit; 
    83102} 
     103else 
     104    $error = "Invalid response returned by server"; 
    84105 
    85106header('HTTP/1.0 404 Not Found'); 
Note: See TracChangeset for help on using the changeset viewer.