From d7442e00b8ee277938adaca3b83f814e0d67b432 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Thu, 20 Apr 2017 01:45:06 -0400
Subject: Add dynamic file proxy script

Entry point df.php, meaning dynamic file or direct file, added as a
means of serving user-supplied content while enforcing access-controls
in PHP.
---
 app/df.php | 102 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 app/df.php

(limited to 'app/df.php')

diff --git a/app/df.php b/app/df.php
new file mode 100644
index 0000000..a425d57
--- /dev/null
+++ b/app/df.php
@@ -0,0 +1,102 @@
+<?php
+
+/*
+ * SCROTT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * For more information, please refer to UNLICENSE
+ */
+
+require_once "class/user.class.php";
+
+/*
+ * This file is a proxy script for fetching resources from the /dynmic
+ * directory.  This script enforces access-control on HTTP objects such
+ * as images and flat files which are supplied by users.
+ *
+ * Example request:
+ * https://yourdomain.com/scrott/df.php?d=heads&f=a4bf903a
+ *
+ * In cases of error or lack of access privilege, this script will
+ * produce no output and fail silently.
+ */
+
+/*
+ * Serve the resource at the given URI in response to the current
+ * request.  When finished, this function will exit PHP and terminate
+ * this script.
+ */
+function serveResource(string $uri) : void
+{
+    $f = fopen($uri, "rb");
+
+    if (!$f)
+        exit;
+
+    header("Content-type: " . mime_content_type($uri));
+    header("Content-length: " . filesize($uri));
+    fpassthru($f);
+    fclose($f);
+
+    exit;
+}
+
+/*
+ * Check the current user's permissions.  User must have access
+ * rights for the file's object, unless that object is a user
+ * object and $allowHeadUser is set to true.
+ */
+function checkPermissions(string $guid, bool $allowHeadUser = false) : bool
+{
+    if (!($user = user::getCurrent()))
+        return false;
+
+    $obj = new object($guid);
+
+    if ($allowHeadUser && $obj->objtype == "user")
+        return true;
+
+    return $user->canAccess($obj);
+}
+
+/*
+ * Respond to users' requests for dynamic files
+ */
+function main(string $dir, string $guid) : void
+{
+    try
+    {
+        if (basename($guid) != $guid || $guid == "")
+            return;
+
+        if (!checkPermissions($guid, $dir == "heads"))
+            return;
+
+        switch ($dir)
+        {
+            case "heads":
+                if (file_exists("dynmic/heads/" . $guid))
+                    serveResource("dynmic/heads/" . $guid);
+                else
+                    serveResource("static/img/null.jpg");
+                break;
+
+            case "bgs":
+                serveResource("dynmic/bgs/" . $guid);
+                break;
+        }
+    }
+    catch (Exception $e)
+    {
+        /* fail silently */
+    }
+}
+
+main($_REQUEST['d'], $_REQUEST['f']);
+
+?>
-- 
cgit v1.2.3