ruben/folderweb
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Activity Actions

Compare commits

base: ruben:0e63ed14440ec0fdbf71153e358942a6ca19f16d
Branches Tags
ruben:latest
..
compare: ruben:f6f6c4ede6cbc92db21147db0b9d1590cf6c4e69
Branches Tags
ruben:latest

No commits in common. "0e63ed14440ec0fdbf71153e358942a6ca19f16d" and "f6f6c4ede6cbc92db21147db0b9d1590cf6c4e69" have entirely different histories.
0e63ed1444 ... f6f6c4ede6

2 changed files with 11 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/router.php
View file

@ -98,8 +98,6 @@ if (str_ends_with($ctx->requestPath, 'feed.xml')) {
// Render full content for each item // Render full content for each item
foreach ($items as &$item) { foreach ($items as &$item) {
$item['content'] = ''; $item['content'] = '';
$itemMetadata = loadMetadata($item['dirPath']);
getPluginManager()->loadPagePlugins($itemMetadata);
$contentFiles = findAllContentFiles($item['dirPath']); $contentFiles = findAllContentFiles($item['dirPath']);
foreach ($contentFiles as $file) { foreach ($contentFiles as $file) {
$item['content'] .= renderContentFile($file, $ctx); $item['content'] .= renderContentFile($file, $ctx);

32
app/static.php
View file

@ -1,39 +1,29 @@
<?php <?php
// test
// Serve static files from /app directory // Serve static files from /app directory
$requestUri = $_SERVER['REQUEST_URI']; $requestUri = $_SERVER['REQUEST_URI'];
$file = preg_replace('#^/app/#', '', parse_url($requestUri, PHP_URL_PATH)); $file = preg_replace('#^/app/#', '', parse_url($requestUri, PHP_URL_PATH));
$file = str_replace(['../', '..\\'], '', $file); // Prevent directory traversal
// Map request paths to allowed base directories // Map request paths to actual file paths
$customBasePath = dirname(__DIR__) . '/custom/'; $basePath = __DIR__ . '/';
$appBasePath = __DIR__ . '/default/'; $customBasePath = dirname(__DIR__) . '/';
if (str_starts_with($file, 'styles/')) { if (str_starts_with($file, 'styles/')) {
$allowedBase = realpath($customBasePath . 'styles'); $filePath = $customBasePath . 'custom/' . $file;
$filePath = $customBasePath . $file;
} elseif (str_starts_with($file, 'fonts/')) { } elseif (str_starts_with($file, 'fonts/')) {
$allowedBase = realpath($customBasePath . 'fonts'); $filePath = $customBasePath . 'custom/' . $file;
$filePath = $customBasePath . $file;
} elseif (str_starts_with($file, 'assets/')) { } elseif (str_starts_with($file, 'assets/')) {
$allowedBase = realpath($customBasePath . 'assets'); $filePath = $customBasePath . 'custom/' . $file;
$filePath = $customBasePath . $file;
} elseif (str_starts_with($file, 'default-styles/')) { } elseif (str_starts_with($file, 'default-styles/')) {
$allowedBase = realpath($appBasePath . 'styles'); $filePath = $basePath . 'default/' . substr($file, 15); // Remove 'default-styles/' prefix
$filePath = $appBasePath . 'styles/' . substr($file, 15);
} else { } else {
http_response_code(404); http_response_code(404);
exit; exit;
} }
// Resolve real path and verify it's within the allowed directory // Check if file exists and is readable
$realPath = realpath($filePath); if (!file_exists($filePath) || !is_readable($filePath)) {
if ($realPath === false || $allowedBase === false || !str_starts_with($realPath, $allowedBase . '/')) {
http_response_code(404);
exit;
}
$filePath = $realPath;
// Check if file is readable
if (!is_readable($filePath)) {
http_response_code(404); http_response_code(404);
exit; exit;
} }