Validate version/repo/arch in auth.php

nethesis · Jun 27, 2019 · bd952d4 · bd952d4
1 parent 5fd6204
commit bd952d4
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/porthos/root/srv/porthos/script/auth.php b/porthos/root/srv/porthos/script/auth.php
@@ -38,8 +38,10 @@
 // Disable the Content-Type header in PHP, so that nginx x-accel can add its own
 ini_set('default_mimetype', FALSE);
 
-// Mask any repo that does not belong to the site:
-if(! in_array($uri['repo'], $config['repositories'])) {
+// Mask any repo/version/arch that does not belong to the site:
+if(! in_array($uri['repo'], $config['repositories'])
+    || ! in_array($uri['version'], $config['versions'])
+    || ! in_array($uri['arch'], $config['arches'])) {
     exit_http(404);
 }
 
@@ -86,6 +88,8 @@
         'msg_severity' => 'notice',
         'server_id' => $_SERVER['PHP_AUTH_USER'],
         'repo' => $uri['repo'],
+        'version' => $uri['version'],
+        'arch' => $uri['arch'],
         'tier_id' => $uri['prefix'] == 'autoupdate' ? NULL : $tier_id,
         'tier_auto' => isset($hash),
         'tls' => isset($_SERVER['HTTPS']),