From 4d3e23b70022a320ae077acf5d0c333d1b68683a Mon Sep 17 00:00:00 2001
From: oyvind Gjesdal <oyvind@localhost.localdomain>
Date: Fri, 9 Jul 2021 22:01:54 +0200
Subject: [PATCH] add check for static dir and static/img

---
 classes/modules/staticModule.php | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/classes/modules/staticModule.php b/classes/modules/staticModule.php
index 203a8619..51f51ec2 100644
--- a/classes/modules/staticModule.php
+++ b/classes/modules/staticModule.php
@@ -25,7 +25,16 @@ class StaticModule extends abstractModule{
   	global $acceptContentType;
   	global $endpoints;
   	global $lodspk;  
-      $filenamearray =explode(".",$file);
+      
+  	$staticdir = realpath($conf['static']['directory']);
+    $imgdir = realpath($conf['static']['directory'] . "img");
+    $resourcepath = realpath($conf['static']['directory'].$file);
+
+    // static resources should be in static or img dir (img may be symlinked)
+    if (not(strpos($resourcepath, $staticdir)=== 0 or strpos($resourcepath, $imgdir)=== 0)) {
+    	HTTPStatus::send404($file); // send404 calls exit();//
+        }
+        $filenamearray =explode(".",$file);
   	$extension = end($filenamearray);
   	$ct = $this->getContentType($extension);
   	header("Content-type: ".$ct);
@@ -34,6 +43,7 @@ class StaticModule extends abstractModule{
   	  Logging::log("In ".$conf['static']['directory']." static file $file");
 	  }
 	  $htmlExtension = 'html';
+          
 	  if($conf['static']['haanga'] && substr_compare($file, $htmlExtension, -strlen($htmlExtension), strlen($htmlExtension)) === 0){
 	    $lodspk['home'] = $conf['basedir'];
 	    $lodspk['baseUrl'] = $conf['basedir'];
@@ -46,14 +56,12 @@ class StaticModule extends abstractModule{
   	  $lodspk['local']['value'] = $localUri;
   	  $lodspk['local']['curie'] = Utils::uri2curie($localUri);
 	    $lodspk['contentType'] = $acceptContentType;
-	    $lodspk['endpoint'] = $conf['endpoint'];	    
-	    $lodspk['type'] = $modelFile;
-	    $lodspk['header'] = $prefixHeader;
+	    $lodspk['endpoint'] = $conf['endpoint'];
 	    $lodspk['baseUrl'] = $conf['basedir'];
-	    
+
 	    Utils::processDocument($conf['static']['directory'].$file, $lodspk, null);    	  
   	}else{
-  	  echo file_get_contents($conf['static']['directory'].$file);
+  	   echo file_get_contents($conf['static']['directory'].$file);
   	}
   }
   
-- 
GitLab