From a1344ca40786b2e1b5128c993c20a09db1d99646 Mon Sep 17 00:00:00 2001 From: Ruben Date: Wed, 25 Feb 2026 23:09:43 +0100 Subject: [PATCH] Add explicit MIME types and caching for static assets Improve asset handling with: - Path traversal protection - Explicit MIME type mapping - Configurable caching headers - Case-insensitive extension matching --- app/router.php | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/app/router.php b/app/router.php index 5e2d72e..89d0df7 100644 --- a/app/router.php +++ b/app/router.php @@ -17,10 +17,30 @@ $ctx = createContext(); $GLOBALS['ctx'] = $ctx; // Check for assets in /custom/assets/ served at root level -$assetPath = dirname(__DIR__) . '/custom/assets/' . $ctx->requestPath; -if (file_exists($assetPath) && is_file($assetPath)) { - header('Content-Type: ' . (mime_content_type($assetPath) ?: 'application/octet-stream')); - readfile($assetPath); +$assetsDir = realpath(dirname(__DIR__) . '/custom/assets'); +$realAsset = realpath($assetsDir . '/' . $ctx->requestPath); +if ($realAsset && strncmp($realAsset, $assetsDir . '/', strlen($assetsDir) + 1) === 0 && is_file($realAsset)) { + $assetMimeTypes = [ + 'css' => 'text/css', + 'js' => 'application/javascript', + 'json' => 'application/json', + 'geojson' => 'application/json', + 'svg' => 'image/svg+xml', + 'woff' => 'font/woff', + 'woff2' => 'font/woff2', + 'ttf' => 'font/ttf', + 'otf' => 'font/otf', + 'png' => 'image/png', + 'jpg' => 'image/jpeg', + 'jpeg' => 'image/jpeg', + 'webp' => 'image/webp', + ]; + $assetExt = strtolower(pathinfo($realAsset, PATHINFO_EXTENSION)); + $mime = $assetMimeTypes[$assetExt] ?? 'application/octet-stream'; + $cacheSeconds = in_array($assetExt, ['json', 'geojson']) ? 60 : 31536000; + header('Content-Type: ' . $mime); + header('Cache-Control: public, max-age=' . $cacheSeconds); + readfile($realAsset); exit; }