Dotclear

source: inc/load_plugin_file.php @ 3022:4e016e87d540

Revision 3022:4e016e87d540, 2.7 KB checked in by Nicolas <nikrou77@…>, 10 years ago (diff)

filter $_GETv? for load_plugin
Line 
1<?php
2# -- BEGIN LICENSE BLOCK ---------------------------------------
3#
4# This file is part of Dotclear 2.
5#
6# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
7# Licensed under the GPL version 2.0 license.
8# See LICENSE file or
9# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10#
11# -- END LICENSE BLOCK -----------------------------------------
12
13#  ClearBricks and DotClear classes auto-loader
14if (@is_dir('/usr/lib/clearbricks')) {
15     define('CLEARBRICKS_PATH','/usr/lib/clearbricks');
16} elseif (is_dir(dirname(__FILE__).'/libs/clearbricks')) {
17     define('CLEARBRICKS_PATH',dirname(__FILE__).'/libs/clearbricks');
18} elseif (isset($_SERVER['CLEARBRICKS_PATH']) && is_dir($_SERVER['CLEARBRICKS_PATH'])) {
19     define('CLEARBRICKS_PATH',$_SERVER['CLEARBRICKS_PATH']);
20}
21
22if (!defined('CLEARBRICKS_PATH') || !is_dir(CLEARBRICKS_PATH)) {
23     exit('No clearbricks path defined');
24}
25
26require CLEARBRICKS_PATH.'/_common.php';
27
28if (isset($_SERVER['DC_RC_PATH'])) {
29     define('DC_RC_PATH',$_SERVER['DC_RC_PATH']);
30} elseif (isset($_SERVER['REDIRECT_DC_RC_PATH'])) {
31     define('DC_RC_PATH',$_SERVER['REDIRECT_DC_RC_PATH']);
32} else {
33     define('DC_RC_PATH',dirname(__FILE__).'/config.php');
34}
35
36if (!is_file(DC_RC_PATH)) {
37     trigger_error('Unable to open config file',E_USER_ERROR);
38     exit;
39}
40
41require DC_RC_PATH;
42
43if (empty($_GET['pf'])) {
44     header('Content-Type: text/plain');
45     http::head(404,'Not Found');
46     exit;
47}
48
49// $_GET['v'] : version in url to bypass cache in case of dotclear upgrade or in dev mode
50// but don't care of value
51if (isset($_GET['v']))
52{
53    unset($_GET['v']);
54}
55
56// Only $_GET['pf'] is allowed in URL
57if (count($_GET) > 1)
58{
59    header('Content-Type: text/plain');
60    http::head(403,'Forbidden');
61    exit;
62}
63
64$allow_types = array('png','jpg','jpeg','gif','css','js','swf','svg');
65
66$pf = path::clean($_GET['pf']);
67
68$paths = array_reverse(explode(PATH_SEPARATOR,DC_PLUGINS_ROOT));
69
70# Adding some folders here to load some stuff
71$paths[] = dirname(__FILE__).'/swf';
72$paths[] = dirname(__FILE__).'/js';
73$paths[] = dirname(__FILE__).'/css';
74
75foreach ($paths as $m)
76{
77     $PF = path::real($m.'/'.$pf);
78
79     if ($PF !== false) {
80          break;
81     }
82}
83unset($paths);
84
85if ($PF === false || !is_file($PF) || !is_readable($PF)) {
86     header('Content-Type: text/plain');
87     http::head(404,'Not Found');
88     exit;
89}
90
91if (!in_array(files::getExtension($PF),$allow_types)) {
92     header('Content-Type: text/plain');
93     http::head(404,'Not Found');
94     exit;
95}
96
97http::$cache_max_age = 7 * 24 * 60 * 60;     // One week cache for plugin's files served by ?pf=… is better than old 2 hours
98http::cache(array_merge(array($PF),get_included_files()));
99
100header('Content-Type: '.files::getMimeType($PF));
101header('Content-Length: '.filesize($PF));
102readfile($PF);
103exit;
Note: See TracBrowser for help on using the repository browser.

Sites map