diff options
-rw-r--r-- | installer/check.php | 4 | ||||
-rw-r--r-- | program/steps/utils/modcss.inc | 81 |
2 files changed, 26 insertions, 59 deletions
diff --git a/installer/check.php b/installer/check.php index e5f30261c..4428bb82b 100644 --- a/installer/check.php +++ b/installer/check.php @@ -45,7 +45,9 @@ $ini_checks = array( ); $optional_checks = array( - 'date.timezone' => '-NOTEMPTY-', + // required for utils/modcss.inc, should we require this? + 'allow_url_fopen' => 1, + 'date.timezone' => '-NOTEMPTY-', ); $source_urls = array( diff --git a/program/steps/utils/modcss.inc b/program/steps/utils/modcss.inc index 77be150fe..1a28c6598 100644 --- a/program/steps/utils/modcss.inc +++ b/program/steps/utils/modcss.inc @@ -5,7 +5,7 @@ | program/steps/utils/modcss.inc | | | | This file is part of the Roundcube Webmail client | - | Copyright (C) 2007-2011, The Roundcube Dev Team | + | Copyright (C) 2007-2012, The Roundcube Dev Team | | | | Licensed under the GNU General Public License version 3 or | | any later version with exceptions for skins & plugins. | @@ -16,83 +16,48 @@ | | +-----------------------------------------------------------------------+ | Author: Thomas Bruederli <roundcube@gmail.com> | + | Author: Aleksander Machniak <alec@alec.pl> | +-----------------------------------------------------------------------+ */ -$source = ''; - $url = preg_replace('![^a-z0-9.-]!i', '', $_GET['_u']); + if ($url === null || !($realurl = $_SESSION['modcssurls'][$url])) { header('HTTP/1.1 403 Forbidden'); - echo "Unauthorized request"; - exit; + exit("Unauthorized request"); } -$a_uri = parse_url($realurl); -$port = $a_uri['port'] ? $a_uri['port'] : 80; -$host = $a_uri['host']; -$path = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : ''); - // don't allow any other connections than http(s) -if (strtolower(substr($a_uri['scheme'], 0, 4)) != 'http') { +if (!preg_match('~^(https?)://~i', $realurl, $matches)) { header('HTTP/1.1 403 Forbidden'); - echo "Invalid URL"; - exit; + exit("Invalid URL"); } -// try to open socket connection -if (!($fp = fsockopen($host, $port, $errno, $error, 15))) { - header('HTTP/1.1 500 Internal Server Error'); - echo $error; - exit; +if (!ini_get('allow_url_fopen')) { + header('HTTP/1.1 403 Forbidden'); + exit("HTTP connections disabled"); } -// set timeout for socket -stream_set_timeout($fp, 30); - -// send request -$out = "GET $path HTTP/1.0\r\n"; -$out .= "Host: $host\r\n"; -$out .= "Connection: Close\r\n\r\n"; -fwrite($fp, $out); +$scheme = strtolower($matches[1]); +$options = array( + $scheme => array( + 'method' => 'GET', + 'timeout' => 15, + ) +); -// read response -$header = true; -$headers = array(); -while (!feof($fp)) { - $line = trim(fgets($fp, 4048)); +$context = stream_context_create($options); +$source = @file_get_contents($realurl, false, $context); - if ($header) { - if (preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs) - && intval($regs[1]) != 200) { - break; - } - else if (empty($line)) { - $header = false; - } - else { - list($key, $value) = explode(': ', $line); - $headers[strtolower($key)] = $value; - } - } - else { - $source .= "$line\n"; - } -} -fclose($fp); +// php.net/manual/en/reserved.variables.httpresponseheader.php +$headers = implode("\n", (array)$http_response_header); +$ctype = '~Content-Type:\s+text/(css|plain)~i'; -// check content-type header and mod styles -$mimetype = strtolower($headers['content-type']); -if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) { +if ($source !== false && preg_match($ctype, $headers)) { header('Content-Type: text/css'); echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['_c'])); exit; } -else - $error = "Invalid response returned by server"; header('HTTP/1.0 404 Not Found'); -echo $error; -exit; - - +exit("Invalid response returned by server"); |