Switch makePathSafe to use native realpath()

2023-08-18 13:19:41 -04:00 · 2023-08-18 13:19:41 -04:00 · 7b4b4306a6
commit 7b4b4306a6
parent 1d03eee56e
3 changed files with 9 additions and 30 deletions
--- a/ajax/showcomic.php
+++ b/ajax/showcomic.php
@ -5,16 +5,18 @@ require '../header.php';
 require_login();

 if ( isset($_REQUEST['comic']) ) {
-   $comic = makePathSafe(base64_decode(urldecode(($_REQUEST['comic']))));
-   $comicfull = COMICSDIR . $comic;
+   $comicfull = realpath(COMICSDIR . base64_decode(urldecode($_REQUEST['comic'])));
+   if ( $comicfull === false ) exit();
+   if ( substr($comicfull, 0, strlen(COMICSDIR)) != COMICSDIR ) exit();
+   $comic = substr($comicfull, strlen(COMICSDIR));
   $comicoutputurl = "comics" . str_replace("#", "", $comic) . "/";
   $comicoutputfull = "../" . EXTRACTSDIR . str_replace("#", "", $comic) . "/";
 } else {
   exit();
 }

-$ext = strtolower(substr($comic, -3));
-$_SESSION['comfile'] = basename($comic);
+$ext = strtolower(substr($comicfull, -3));
+$_SESSION['comfile'] = basename($comicfull);

 $data = array();

--- a/downloadcomic.php
+++ b/downloadcomic.php
@ -5,8 +5,9 @@ require 'header.php';
 require_login();

 if ( isset($_REQUEST['comic']) ) {
-   $comic = makePathSafe(base64_decode(urldecode(($_REQUEST['comic']))));
-   $comicfull = COMICSDIR . $comic;
+   $comicfull = realpath(COMICSDIR . base64_decode(urldecode($_REQUEST['comic'])));
+   if ( $comicfull === false ) exit();
+   if ( substr($comicfull, 0, strlen(COMICSDIR)) != COMICSDIR ) exit();
 } else {
   exit();
 }
--- a/functions.php
+++ b/functions.php
@ -5,30 +5,6 @@ function microtime_float() {
   return ((float)$usec + (float)$sec);
 }

-function makePathSafe($path = "") {
-   if ( $path == "" ) return "";
-   // Stick forward slashes on the ends to make matching more consistent
-   $path = "/" . $path . "/";
-   // Remove all instances of dots between forward slashes
-   while ( preg_match("/\/\.{0,}\//", $path) ) {
-      $path = preg_replace("/\/\.{0,}\//", "/", $path);
-   }
-   // Replace all instances of two consecutive forward slashes
-   while ( strpos($path, "//") !== false ) {
-      $path = str_replace("//", "/", $path);
-   }
-   // Remove all leading forward slashes
-   while ( substr($path, 0, 1) == '/' ) {
-      $path = substr($path, 1);
-   }
-   // Remove all trailing forward slashes
-   while ( substr($path, -1) == '/' ) {
-      $path = substr($path, 0, strlen($path)-1);
-   }
-   $path = "/" . $path;
-   return $path;
-}
-
 function makeThumb($item = "") {
   if ( $item == "" ) { return false; }
   if ( is_dir($item) ) {