From 69e2d1dcff01abfb6b8f81bbf7d87914fd50636f Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Tue, 30 Oct 2012 14:27:11 +0100 Subject: Return 404 for invalid account/package subpages Display an error page and return a 404 status code in the following cases: * An invalid package name is passed to the "packages" action. * An invalid user name is passed to the "account" action. * An invalid package action is passed. * An invalid account action is passed. Signed-off-by: Lukas Fleischer --- web/html/index.php | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) (limited to 'web') diff --git a/web/html/index.php b/web/html/index.php index 422c0e5..3b46ab9 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -7,15 +7,21 @@ include_once("pkgfuncs.inc.php"); $path = $_SERVER['PATH_INFO']; $tokens = explode('/', $path); -if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { - if (isset($tokens[2])) { +if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { + if (!empty($tokens[2])) { /* TODO: Create a proper data structure to pass variables from * the routing framework to the individual pages instead of * initializing arbitrary variables here. */ $pkgname = $tokens[2]; $pkgid = pkgid_from_name($pkgname); - if (isset($tokens[3])) { + if (!$pkgid) { + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; + } + + if (!empty($tokens[3])) { if ($tokens[3] == 'voters') { $_GET['ID'] = pkgid_from_name($tokens[2]); include('voters.php'); @@ -49,6 +55,10 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { case "merge": include('pkgmerge.php'); return; + default: + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; } if (isset($_COOKIE['AURSID'])) { @@ -60,17 +70,25 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { } include get_route('/' . $tokens[1]); -} elseif (isset($tokens[1]) && '/' . $tokens[1] == get_user_route()) { - if (isset($tokens[2])) { - $_REQUEST['U'] = $tokens[2]; +} elseif (!empty($tokens[1]) && '/' . $tokens[1] == get_user_route()) { + if (!empty($tokens[2])) { + $_REQUEST['ID'] = uid_from_username($tokens[2]); - if (isset($tokens[3])) { + if (!$_REQUEST['ID']) { + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; + } + + if (!empty($tokens[3])) { if ($tokens[3] == 'edit') { $_REQUEST['Action'] = "DisplayAccount"; } elseif ($tokens[3] == 'update') { $_REQUEST['Action'] = "UpdateAccount"; } else { - $_REQUEST['Action'] = "AccountInfo"; + header("HTTP/1.0 404 Not Found"); + include "./404.php"; + return; } } else { $_REQUEST['Action'] = "AccountInfo"; -- cgit v1.2.3-70-g09d2