From 69e2d1dcff01abfb6b8f81bbf7d87914fd50636f Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Tue, 30 Oct 2012 14:27:11 +0100
Subject: Return 404 for invalid account/package subpages

Display an error page and return a 404 status code in the following
cases:

* An invalid package name is passed to the "packages" action.
* An invalid user name is passed to the "account" action.
* An invalid package action is passed.
* An invalid account action is passed.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/index.php | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/web/html/index.php b/web/html/index.php
index 422c0e5..3b46ab9 100644
--- a/web/html/index.php
+++ b/web/html/index.php
@@ -7,15 +7,21 @@ include_once("pkgfuncs.inc.php");
 $path = $_SERVER['PATH_INFO'];
 $tokens = explode('/', $path);
 
-if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
-	if (isset($tokens[2])) {
+if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
+	if (!empty($tokens[2])) {
 		/* TODO: Create a proper data structure to pass variables from
 		 * the routing framework to the individual pages instead of
 		 * initializing arbitrary variables here. */
 		$pkgname = $tokens[2];
 		$pkgid = pkgid_from_name($pkgname);
 
-		if (isset($tokens[3])) {
+		if (!$pkgid) {
+			header("HTTP/1.0 404 Not Found");
+			include "./404.php";
+			return;
+		}
+
+		if (!empty($tokens[3])) {
 			if ($tokens[3] == 'voters') {
 				$_GET['ID'] = pkgid_from_name($tokens[2]);
 				include('voters.php');
@@ -49,6 +55,10 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
 			case "merge":
 				include('pkgmerge.php');
 				return;
+			default:
+				header("HTTP/1.0 404 Not Found");
+				include "./404.php";
+				return;
 			}
 
 			if (isset($_COOKIE['AURSID'])) {
@@ -60,17 +70,25 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
 	}
 
 	include get_route('/' . $tokens[1]);
-} elseif (isset($tokens[1]) && '/' . $tokens[1] == get_user_route()) {
-	if (isset($tokens[2])) {
-		$_REQUEST['U'] = $tokens[2];
+} elseif (!empty($tokens[1]) && '/' . $tokens[1] == get_user_route()) {
+	if (!empty($tokens[2])) {
+		$_REQUEST['ID'] = uid_from_username($tokens[2]);
 
-		if (isset($tokens[3])) {
+		if (!$_REQUEST['ID']) {
+			header("HTTP/1.0 404 Not Found");
+			include "./404.php";
+			return;
+		}
+
+		if (!empty($tokens[3])) {
 			if ($tokens[3] == 'edit') {
 				$_REQUEST['Action'] = "DisplayAccount";
 			} elseif ($tokens[3] == 'update') {
 				$_REQUEST['Action'] = "UpdateAccount";
 			} else {
-				$_REQUEST['Action'] = "AccountInfo";
+				header("HTTP/1.0 404 Not Found");
+				include "./404.php";
+				return;
 			}
 		} else {
 			$_REQUEST['Action'] = "AccountInfo";
-- 
cgit v1.2.3-54-g00ecf