diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-10-30 14:27:11 +0100 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-10-30 14:56:43 +0100 |
commit | 69e2d1dcff01abfb6b8f81bbf7d87914fd50636f (patch) | |
tree | 1e8ae319bee28629d567079f4e582677e16240a3 /web | |
parent | 9fd4845d16e41bf88535f77f627202f25b6d2112 (diff) | |
download | aurweb-69e2d1dcff01abfb6b8f81bbf7d87914fd50636f.tar.xz |
Return 404 for invalid account/package subpages
Display an error page and return a 404 status code in the following
cases:
* An invalid package name is passed to the "packages" action.
* An invalid user name is passed to the "account" action.
* An invalid package action is passed.
* An invalid account action is passed.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web')
-rw-r--r-- | web/html/index.php | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/web/html/index.php b/web/html/index.php index 422c0e5..3b46ab9 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -7,15 +7,21 @@ include_once("pkgfuncs.inc.php"); $path = $_SERVER['PATH_INFO']; $tokens = explode('/', $path); -if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { - if (isset($tokens[2])) { +if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { + if (!empty($tokens[2])) { /* TODO: Create a proper data structure to pass variables from * the routing framework to the individual pages instead of * initializing arbitrary variables here. */ $pkgname = $tokens[2]; $pkgid = pkgid_from_name($pkgname); - if (isset($tokens[3])) { + if (!$pkgid) { + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; + } + + if (!empty($tokens[3])) { if ($tokens[3] == 'voters') { $_GET['ID'] = pkgid_from_name($tokens[2]); include('voters.php'); @@ -49,6 +55,10 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { case "merge": include('pkgmerge.php'); return; + default: + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; } if (isset($_COOKIE['AURSID'])) { @@ -60,17 +70,25 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { } include get_route('/' . $tokens[1]); -} elseif (isset($tokens[1]) && '/' . $tokens[1] == get_user_route()) { - if (isset($tokens[2])) { - $_REQUEST['U'] = $tokens[2]; +} elseif (!empty($tokens[1]) && '/' . $tokens[1] == get_user_route()) { + if (!empty($tokens[2])) { + $_REQUEST['ID'] = uid_from_username($tokens[2]); - if (isset($tokens[3])) { + if (!$_REQUEST['ID']) { + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; + } + + if (!empty($tokens[3])) { if ($tokens[3] == 'edit') { $_REQUEST['Action'] = "DisplayAccount"; } elseif ($tokens[3] == 'update') { $_REQUEST['Action'] = "UpdateAccount"; } else { - $_REQUEST['Action'] = "AccountInfo"; + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; } } else { $_REQUEST['Action'] = "AccountInfo"; |