From bd952d440937980d098afeeae39fb154ed58b57e Mon Sep 17 00:00:00 2001 From: Davide Principi <davide.principi@nethesis.it> Date: Thu, 27 Jun 2019 13:03:39 +0200 Subject: [PATCH] Validate version/repo/arch in auth.php --- porthos/root/srv/porthos/script/auth.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/porthos/root/srv/porthos/script/auth.php b/porthos/root/srv/porthos/script/auth.php index 4bd9276..c35568f 100644 --- a/porthos/root/srv/porthos/script/auth.php +++ b/porthos/root/srv/porthos/script/auth.php @@ -38,8 +38,10 @@ // Disable the Content-Type header in PHP, so that nginx x-accel can add its own ini_set('default_mimetype', FALSE); -// Mask any repo that does not belong to the site: -if(! in_array($uri['repo'], $config['repositories'])) { +// Mask any repo/version/arch that does not belong to the site: +if(! in_array($uri['repo'], $config['repositories']) + || ! in_array($uri['version'], $config['versions']) + || ! in_array($uri['arch'], $config['arches'])) { exit_http(404); } @@ -86,6 +88,8 @@ 'msg_severity' => 'notice', 'server_id' => $_SERVER['PHP_AUTH_USER'], 'repo' => $uri['repo'], + 'version' => $uri['version'], + 'arch' => $uri['arch'], 'tier_id' => $uri['prefix'] == 'autoupdate' ? NULL : $tier_id, 'tier_auto' => isset($hash), 'tls' => isset($_SERVER['HTTPS']),