diff options
author | Malf Furious <m@lfurio.us> | 2017-04-20 01:45:06 -0400 |
---|---|---|
committer | Malf Furious <m@lfurio.us> | 2017-04-20 01:45:06 -0400 |
commit | d7442e00b8ee277938adaca3b83f814e0d67b432 (patch) | |
tree | d4c2d942535fe1ccc1ade89e99d8fdfeb69c6723 | |
parent | 8256cbd7976d463ddfd31660995540a9c8adc315 (diff) | |
download | scrott-d7442e00b8ee277938adaca3b83f814e0d67b432.tar.gz scrott-d7442e00b8ee277938adaca3b83f814e0d67b432.zip |
Add dynamic file proxy script
Entry point df.php, meaning dynamic file or direct file, added as a
means of serving user-supplied content while enforcing access-controls
in PHP.
Diffstat (limited to '')
-rw-r--r-- | app/df.php | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/app/df.php b/app/df.php new file mode 100644 index 0000000..a425d57 --- /dev/null +++ b/app/df.php @@ -0,0 +1,102 @@ +<?php + +/* + * SCROTT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR + * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + * OTHER DEALINGS IN THE SOFTWARE. + * + * For more information, please refer to UNLICENSE + */ + +require_once "class/user.class.php"; + +/* + * This file is a proxy script for fetching resources from the /dynmic + * directory. This script enforces access-control on HTTP objects such + * as images and flat files which are supplied by users. + * + * Example request: + * https://yourdomain.com/scrott/df.php?d=heads&f=a4bf903a + * + * In cases of error or lack of access privilege, this script will + * produce no output and fail silently. + */ + +/* + * Serve the resource at the given URI in response to the current + * request. When finished, this function will exit PHP and terminate + * this script. + */ +function serveResource(string $uri) : void +{ + $f = fopen($uri, "rb"); + + if (!$f) + exit; + + header("Content-type: " . mime_content_type($uri)); + header("Content-length: " . filesize($uri)); + fpassthru($f); + fclose($f); + + exit; +} + +/* + * Check the current user's permissions. User must have access + * rights for the file's object, unless that object is a user + * object and $allowHeadUser is set to true. + */ +function checkPermissions(string $guid, bool $allowHeadUser = false) : bool +{ + if (!($user = user::getCurrent())) + return false; + + $obj = new object($guid); + + if ($allowHeadUser && $obj->objtype == "user") + return true; + + return $user->canAccess($obj); +} + +/* + * Respond to users' requests for dynamic files + */ +function main(string $dir, string $guid) : void +{ + try + { + if (basename($guid) != $guid || $guid == "") + return; + + if (!checkPermissions($guid, $dir == "heads")) + return; + + switch ($dir) + { + case "heads": + if (file_exists("dynmic/heads/" . $guid)) + serveResource("dynmic/heads/" . $guid); + else + serveResource("static/img/null.jpg"); + break; + + case "bgs": + serveResource("dynmic/bgs/" . $guid); + break; + } + } + catch (Exception $e) + { + /* fail silently */ + } +} + +main($_REQUEST['d'], $_REQUEST['f']); + +?> |