folderweb/app/static.php

<?php
// Serve static files from /app directory
$requestUri = $_SERVER['REQUEST_URI'];
$file = preg_replace('#^/app/#', '', parse_url($requestUri, PHP_URL_PATH));

// Map request paths to allowed base directories
$customBasePath = dirname(__DIR__) . '/custom/';
$appBasePath = __DIR__ . '/default/';

if (str_starts_with($file, 'styles/')) {
    $allowedBase = realpath($customBasePath . 'styles');
    $filePath = $customBasePath . $file;
} elseif (str_starts_with($file, 'fonts/')) {
    $allowedBase = realpath($customBasePath . 'fonts');
    $filePath = $customBasePath . $file;
} elseif (str_starts_with($file, 'assets/')) {
    $allowedBase = realpath($customBasePath . 'assets');
    $filePath = $customBasePath . $file;
} elseif (str_starts_with($file, 'default-styles/')) {
    $allowedBase = realpath($appBasePath . 'styles');
    $filePath = $appBasePath . 'styles/' . substr($file, 15);
} else {
    http_response_code(404);
    exit;
}

// Resolve real path and verify it's within the allowed directory
$realPath = realpath($filePath);
if ($realPath === false || $allowedBase === false || !str_starts_with($realPath, $allowedBase . '/')) {
    http_response_code(404);
    exit;
}
$filePath = $realPath;

// Check if file is readable
if (!is_readable($filePath)) {
    http_response_code(404);
    exit;
}

// Determine MIME type based on extension
$ext = pathinfo($filePath, PATHINFO_EXTENSION);
$mimeTypes = [
    'css' => 'text/css',
    'js' => 'application/javascript',
    'woff' => 'font/woff',
    'woff2' => 'font/woff2',
    'ttf' => 'font/ttf',
    'otf' => 'font/otf',
    'eot' => 'application/vnd.ms-fontobject',
    'svg' => 'image/svg+xml',
];

$mimeType = $mimeTypes[$ext] ?? (mime_content_type($filePath) ?: 'application/octet-stream');
header('Content-Type: ' . $mimeType);
readfile($filePath);
Initial commit 2025-10-02 16:54:47 +02:00			`<?php`
			`// Serve static files from /app directory`
Fix static file path handling for security Use REQUEST_URI and parse_url to properly handle paths Prevent directory traversal with stricter sanitization 2025-10-02 17:19:15 +02:00			`$requestUri = $_SERVER['REQUEST_URI'];`
			`$file = preg_replace('#^/app/#', '', parse_url($requestUri, PHP_URL_PATH));`
Initial commit 2025-10-02 16:54:47 +02:00
Fix feed item rendering and strengthen static file path traversal protection 2026-03-17 10:54:52 +01:00			`// Map request paths to allowed base directories`
			`$customBasePath = dirname(__DIR__) . '/custom/';`
			`$appBasePath = __DIR__ . '/default/';`
Initial commit 2025-10-02 16:54:47 +02:00
			`if (str_starts_with($file, 'styles/')) {`
Fix feed item rendering and strengthen static file path traversal protection 2026-03-17 10:54:52 +01:00			`$allowedBase = realpath($customBasePath . 'styles');`
			`$filePath = $customBasePath . $file;`
Initial commit 2025-10-02 16:54:47 +02:00			`} elseif (str_starts_with($file, 'fonts/')) {`
Fix feed item rendering and strengthen static file path traversal protection 2026-03-17 10:54:52 +01:00			`$allowedBase = realpath($customBasePath . 'fonts');`
			`$filePath = $customBasePath . $file;`
Add support for custom assets directory Add handling for files starting with 'assets/' to serve from custom directory similar to other static assets 2025-10-02 23:47:59 +02:00			`} elseif (str_starts_with($file, 'assets/')) {`
Fix feed item rendering and strengthen static file path traversal protection 2026-03-17 10:54:52 +01:00			`$allowedBase = realpath($customBasePath . 'assets');`
			`$filePath = $customBasePath . $file;`
Initial commit 2025-10-02 16:54:47 +02:00			`} elseif (str_starts_with($file, 'default-styles/')) {`
Fix feed item rendering and strengthen static file path traversal protection 2026-03-17 10:54:52 +01:00			`$allowedBase = realpath($appBasePath . 'styles');`
			`$filePath = $appBasePath . 'styles/' . substr($file, 15);`
Initial commit 2025-10-02 16:54:47 +02:00			`} else {`
			`http_response_code(404);`
			`exit;`
			`}`

Fix feed item rendering and strengthen static file path traversal protection 2026-03-17 10:54:52 +01:00			`// Resolve real path and verify it's within the allowed directory`
			`$realPath = realpath($filePath);`
			`if ($realPath === false \|\| $allowedBase === false \|\| !str_starts_with($realPath, $allowedBase . '/')) {`
			`http_response_code(404);`
			`exit;`
			`}`
			`$filePath = $realPath;`

			`// Check if file is readable`
			`if (!is_readable($filePath)) {`
Initial commit 2025-10-02 16:54:47 +02:00			`http_response_code(404);`
			`exit;`
			`}`

			`// Determine MIME type based on extension`
			`$ext = pathinfo($filePath, PATHINFO_EXTENSION);`
			`$mimeTypes = [`
			`'css' => 'text/css',`
			`'js' => 'application/javascript',`
			`'woff' => 'font/woff',`
			`'woff2' => 'font/woff2',`
			`'ttf' => 'font/ttf',`
			`'otf' => 'font/otf',`
			`'eot' => 'application/vnd.ms-fontobject',`
			`'svg' => 'image/svg+xml',`
			`];`

			`$mimeType = $mimeTypes[$ext] ?? (mime_content_type($filePath) ?: 'application/octet-stream');`
			`header('Content-Type: ' . $mimeType);`
			`readfile($filePath);`