summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2012-07-10 10:07:21 +0200
committerAleksander Machniak <alec@alec.pl>2012-07-10 10:07:21 +0200
commit2b21b97ef0b13c958ed53c7adf10f02f6c4c434f (patch)
tree93177e8afba342254267144259dee1f487e42ed6
parent3efc74654a30bd6d0141e1a15a123274408e9be8 (diff)
Use file_get_contents() to make code simpler and to fix possible infinite loop
-rw-r--r--installer/check.php4
-rw-r--r--program/steps/utils/modcss.inc81
2 files changed, 26 insertions, 59 deletions
diff --git a/installer/check.php b/installer/check.php
index e5f30261c..4428bb82b 100644
--- a/installer/check.php
+++ b/installer/check.php
@@ -45,7 +45,9 @@ $ini_checks = array(
);
$optional_checks = array(
- 'date.timezone' => '-NOTEMPTY-',
+ // required for utils/modcss.inc, should we require this?
+ 'allow_url_fopen' => 1,
+ 'date.timezone' => '-NOTEMPTY-',
);
$source_urls = array(
diff --git a/program/steps/utils/modcss.inc b/program/steps/utils/modcss.inc
index 77be150fe..1a28c6598 100644
--- a/program/steps/utils/modcss.inc
+++ b/program/steps/utils/modcss.inc
@@ -5,7 +5,7 @@
| program/steps/utils/modcss.inc |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2007-2011, The Roundcube Dev Team |
+ | Copyright (C) 2007-2012, The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -16,83 +16,48 @@
| |
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+ | Author: Aleksander Machniak <alec@alec.pl> |
+-----------------------------------------------------------------------+
*/
-$source = '';
-
$url = preg_replace('![^a-z0-9.-]!i', '', $_GET['_u']);
+
if ($url === null || !($realurl = $_SESSION['modcssurls'][$url])) {
header('HTTP/1.1 403 Forbidden');
- echo "Unauthorized request";
- exit;
+ exit("Unauthorized request");
}
-$a_uri = parse_url($realurl);
-$port = $a_uri['port'] ? $a_uri['port'] : 80;
-$host = $a_uri['host'];
-$path = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : '');
-
// don't allow any other connections than http(s)
-if (strtolower(substr($a_uri['scheme'], 0, 4)) != 'http') {
+if (!preg_match('~^(https?)://~i', $realurl, $matches)) {
header('HTTP/1.1 403 Forbidden');
- echo "Invalid URL";
- exit;
+ exit("Invalid URL");
}
-// try to open socket connection
-if (!($fp = fsockopen($host, $port, $errno, $error, 15))) {
- header('HTTP/1.1 500 Internal Server Error');
- echo $error;
- exit;
+if (!ini_get('allow_url_fopen')) {
+ header('HTTP/1.1 403 Forbidden');
+ exit("HTTP connections disabled");
}
-// set timeout for socket
-stream_set_timeout($fp, 30);
-
-// send request
-$out = "GET $path HTTP/1.0\r\n";
-$out .= "Host: $host\r\n";
-$out .= "Connection: Close\r\n\r\n";
-fwrite($fp, $out);
+$scheme = strtolower($matches[1]);
+$options = array(
+ $scheme => array(
+ 'method' => 'GET',
+ 'timeout' => 15,
+ )
+);
-// read response
-$header = true;
-$headers = array();
-while (!feof($fp)) {
- $line = trim(fgets($fp, 4048));
+$context = stream_context_create($options);
+$source = @file_get_contents($realurl, false, $context);
- if ($header) {
- if (preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs)
- && intval($regs[1]) != 200) {
- break;
- }
- else if (empty($line)) {
- $header = false;
- }
- else {
- list($key, $value) = explode(': ', $line);
- $headers[strtolower($key)] = $value;
- }
- }
- else {
- $source .= "$line\n";
- }
-}
-fclose($fp);
+// php.net/manual/en/reserved.variables.httpresponseheader.php
+$headers = implode("\n", (array)$http_response_header);
+$ctype = '~Content-Type:\s+text/(css|plain)~i';
-// check content-type header and mod styles
-$mimetype = strtolower($headers['content-type']);
-if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) {
+if ($source !== false && preg_match($ctype, $headers)) {
header('Content-Type: text/css');
echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['_c']));
exit;
}
-else
- $error = "Invalid response returned by server";
header('HTTP/1.0 404 Not Found');
-echo $error;
-exit;
-
-
+exit("Invalid response returned by server");