From bd952d440937980d098afeeae39fb154ed58b57e Mon Sep 17 00:00:00 2001
From: Davide Principi <davide.principi@nethesis.it>
Date: Thu, 27 Jun 2019 13:03:39 +0200
Subject: [PATCH] Validate version/repo/arch in auth.php

---
 porthos/root/srv/porthos/script/auth.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/porthos/root/srv/porthos/script/auth.php b/porthos/root/srv/porthos/script/auth.php
index 4bd9276..c35568f 100644
--- a/porthos/root/srv/porthos/script/auth.php
+++ b/porthos/root/srv/porthos/script/auth.php
@@ -38,8 +38,10 @@
 // Disable the Content-Type header in PHP, so that nginx x-accel can add its own
 ini_set('default_mimetype', FALSE);
 
-// Mask any repo that does not belong to the site:
-if(! in_array($uri['repo'], $config['repositories'])) {
+// Mask any repo/version/arch that does not belong to the site:
+if(! in_array($uri['repo'], $config['repositories'])
+    || ! in_array($uri['version'], $config['versions'])
+    || ! in_array($uri['arch'], $config['arches'])) {
     exit_http(404);
 }
 
@@ -86,6 +88,8 @@
         'msg_severity' => 'notice',
         'server_id' => $_SERVER['PHP_AUTH_USER'],
         'repo' => $uri['repo'],
+        'version' => $uri['version'],
+        'arch' => $uri['arch'],
         'tier_id' => $uri['prefix'] == 'autoupdate' ? NULL : $tier_id,
         'tier_auto' => isset($hash),
         'tls' => isset($_SERVER['HTTPS']),