Oyvind.Gjesdal · d5fe2b0b · e7588ceb · 6216e485 · 4d3e23b7 · 6e00b2c7
--- a/classes/modules/staticModule.php

+ 28

− 10
+++ b/classes/modules/staticModule.php

+ 28

− 10
 @@ -24,8 +24,9 @@ class StaticModule extends abstractModule{
  	global $uri;
  	global $acceptContentType;
  	global $endpoints;
-  	global $lodspk;  
-      $filenamearray =explode(".",$file);
+  	global $lodspk;
+    $this->validateDirectory($conf, $file);
+		$filenamearray =explode(".",$file);
  	$extension = end($filenamearray);
  	$ct = $this->getContentType($extension);
  	header("Content-type: ".$ct);
 @@ -34,6 +35,7 @@ class StaticModule extends abstractModule{
  	  Logging::log("In ".$conf['static']['directory']." static file $file");
 	  }
 	  $htmlExtension = 'html';
+          
 	  if($conf['static']['haanga'] && substr_compare($file, $htmlExtension, -strlen($htmlExtension), strlen($htmlExtension)) === 0){
 	    $lodspk['home'] = $conf['basedir'];
 	    $lodspk['baseUrl'] = $conf['basedir'];
 @@ -46,14 +48,12 @@ class StaticModule extends abstractModule{
  	  $lodspk['local']['value'] = $localUri;
  	  $lodspk['local']['curie'] = Utils::uri2curie($localUri);
 	    $lodspk['contentType'] = $acceptContentType;
-	    $lodspk['endpoint'] = $conf['endpoint'];	    
-	    $lodspk['type'] = $modelFile;
-	    $lodspk['header'] = $prefixHeader;
+	    $lodspk['endpoint'] = $conf['endpoint'];
 	    $lodspk['baseUrl'] = $conf['basedir'];
-	    
+
 	    Utils::processDocument($conf['static']['directory'].$file, $lodspk, null);    	  
  	}else{
-  	  echo file_get_contents($conf['static']['directory'].$file);
+  	   echo file_get_contents($conf['static']['directory'].$file);
  	}
  }
  
 @@ -87,8 +87,26 @@ class StaticModule extends abstractModule{
   }
   return ""; //empty string seems to work fine with browsers
  }
-  
-  
+
+	/**
+	 * Validate that resource directory is valid and safe to use.
+	 *
+	 * @param array $conf
+   *   Global configuration.
+   * @param $file
+	 *
+	 * @return void
+	 */
+  private function validateDirectory(array $conf, $file): void
+	{
+		$staticdir = realpath($conf['static']['directory']);
+		$imgdir = realpath($conf['static']['directory'] . "img");
+		$resourcepath = realpath($conf['static']['directory'].$file);
+
+		// static resources should be in static or img dir (img may be symlinked, check realpath of img as well)
+		if (strpos($resourcepath, $staticdir)!== 0 and strpos($resourcepath, $imgdir)!== 0) {
+			HTTPStatus::send404($file); // send404 calls exit();//
+		}
+	}
  
 }
-?>