/** * Set up groups of files as sources * * @param array $options controller and Minify options * @return array Minify options * */ public function setupSources($options) { // PHP insecure by default: realpath() and other FS functions can't handle null bytes. if (isset($_GET['files'])) { $_GET['files'] = str_replace("", '', (string) $_GET['files']); } self::_setupDefines(); if (MINIFY_USE_CACHE) { $cacheDir = defined('MINIFY_CACHE_DIR') ? MINIFY_CACHE_DIR : ''; Minify::setCache($cacheDir); } $options['badRequestHeader'] = 'HTTP/1.0 404 Not Found'; $options['contentTypeCharset'] = MINIFY_ENCODING; // The following restrictions are to limit the URLs that minify will // respond to. Ideally there should be only one way to reference a file. if (!isset($_GET['files']) || !preg_match('/^[^,]+\\.(css|js)(,[^,]+\\.\\1)*$/', $_GET['files'], $m) || strpos($_GET['files'], '//') !== false || strpos($_GET['files'], '\\') !== false || preg_match('/(?:^|[^\\.])\\.\\//', $_GET['files'])) { return $options; } $extension = $m[1]; $files = explode(',', $_GET['files']); if (count($files) > MINIFY_MAX_FILES) { return $options; } // strings for prepending to relative/absolute paths $prependRelPaths = dirname($_SERVER['SCRIPT_FILENAME']) . DIRECTORY_SEPARATOR; $prependAbsPaths = $_SERVER['DOCUMENT_ROOT']; $sources = array(); $goodFiles = array(); $hasBadSource = false; $allowDirs = isset($options['allowDirs']) ? $options['allowDirs'] : MINIFY_BASE_DIR; foreach ($files as $file) { // prepend appropriate string for abs/rel paths $file = ($file[0] === '/' ? $prependAbsPaths : $prependRelPaths) . $file; // make sure a real file! $file = realpath($file); // don't allow unsafe or duplicate files if (parent::_fileIsSafe($file, $allowDirs) && !in_array($file, $goodFiles)) { $goodFiles[] = $file; $srcOptions = array('filepath' => $file); $this->sources[] = new Minify_Source($srcOptions); } else { $hasBadSource = true; break; } } if ($hasBadSource) { $this->sources = array(); } if (!MINIFY_REWRITE_CSS_URLS) { $options['rewriteCssUris'] = false; } return $options; }
/** * Set up groups of files as sources * * @param array $options controller and Minify options * @return array Minify options * */ public function setupSources($options) { // filter controller options $cOptions = array_merge(array('allowDirs' => '//', 'groupsOnly' => false, 'groups' => array(), 'maxFiles' => 100), isset($options['minApp']) ? $options['minApp'] : array()); unset($options['minApp']); $sources = array(); if (isset($_GET['g'])) { // try groups if (!isset($cOptions['groups'][$_GET['g']])) { $this->log("A group configuration for \"{$_GET['g']}\" was not set"); return $options; } $files = $cOptions['groups'][$_GET['g']]; // if $files is a single object, casting will break it if (is_object($files)) { $files = array($files); } elseif (!is_array($files)) { $files = (array) $files; } foreach ($files as $file) { if ($file instanceof Minify_Source) { $sources[] = $file; continue; } if (0 === strpos($file, '//')) { $file = $_SERVER['DOCUMENT_ROOT'] . substr($file, 1); } $realPath = realpath($file); if (is_file($realPath)) { $sources[] = new Minify_Source(array('filepath' => $realPath)); } else { $this->log("The path \"{$realPath}\" could not be found (or was not a file)"); continue; } } } elseif (!$cOptions['groupsOnly'] && isset($_GET['f'])) { $config = w3_instance('W3_Config'); $external = $config->get_array('minify.cache.files'); $files = $_GET['f']; $temp_files = array(); $external_files = 0; foreach ($files as $file) { if (!is_string($file)) { $url = $file->minifyOptions['prependRelativePath']; $verified = false; foreach ($external as $ext) { if (preg_match('#' . w3_get_url_regexp($ext) . '#', $url) && !$verified) { $verified = true; } } if (!$verified) { $this->log("GET['f'] param part invalid, not in accepted external files list: \"{$url}\""); return $options; } $external_files++; } else { $temp_files[] = $file; } } if ($temp_files) { $imploded = implode(',', $temp_files); if (!preg_match('/^[^,]+\\.(css|js)(?:,[^,]+\\.\\1)*$/', $imploded) || strpos($imploded, '//') !== false || strpos($imploded, '\\') !== false || preg_match('/(?:^|[^\\.])\\.\\//', $imploded)) { $this->log("GET['f'] param part invalid: \"{$imploded}\""); return $options; } } if (count($files) > $cOptions['maxFiles'] || count($files) - $external_files != count(array_unique($temp_files))) { $this->log("Too many or duplicate files specified: \"" . implode(', ', $temp_files) . "\""); return $options; } if (!empty($_GET['b'])) { // check for validity if (preg_match('@^[^/]+(?:/[^/]+)*$@', $_GET['b']) && false === strpos($_GET['b'], '..') && $_GET['b'] !== '.') { // valid base $base = "/{$_GET['b']}/"; } else { $this->log("GET['b'] param invalid: \"{$_GET['b']}\""); return $options; } } else { $base = '/'; } $allowDirs = array(); foreach ((array) $cOptions['allowDirs'] as $allowDir) { $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir)); } foreach ($files as $file) { if ($file instanceof Minify_Source) { $sources[] = $file; continue; } $path = $_SERVER['DOCUMENT_ROOT'] . $base . $file; $file = realpath($path); if (false === $file) { $this->log("Path \"{$path}\" failed realpath()"); return $options; } elseif (!parent::_fileIsSafe($file, $allowDirs)) { $this->log("Path \"{$path}\" failed Minify_Controller_Base::_fileIsSafe()"); return $options; } else { $sources[] = new Minify_Source(array('filepath' => $file)); } } } if ($sources) { $this->sources = $sources; } else { $this->log("No sources to serve"); } return $options; }
/** * Set up groups of files as sources * * @param array $options controller and Minify options * @return array Minify options * */ public function setupSources($options) { // filter controller options $cOptions = array_merge(array('allowDirs' => '//', 'groupsOnly' => false, 'groups' => array(), 'maxFiles' => 10), isset($options['minApp']) ? $options['minApp'] : array()); unset($options['minApp']); $sources = array(); if (isset($_GET['g'])) { // try groups if (!isset($cOptions['groups'][$_GET['g']])) { $this->log("A group configuration for \"{$_GET['g']}\" was not set"); return $options; } $files = $cOptions['groups'][$_GET['g']]; // if $files is a single object, casting will break it if (is_object($files)) { $files = array($files); } elseif (!is_array($files)) { $files = (array) $files; } foreach ($files as $file) { if ($file instanceof Minify_Source) { $sources[] = $file; continue; } if (0 === strpos($file, '//')) { $file = $_SERVER['DOCUMENT_ROOT'] . substr($file, 1); } $realPath = realpath($file); if (is_file($realPath)) { $sources[] = new Minify_Source(array('filepath' => $realPath)); } else { $this->log("The path \"{$realPath}\" could not be found (or was not a file)"); continue; } } } elseif (!$cOptions['groupsOnly'] && isset($_GET['f'])) { // try user files // The following restrictions are to limit the URLs that minify will // respond to. Ideally there should be only one way to reference a file. if (!preg_match('/^[^,]+\\.(css|js)(?:,[^,]+\\.\\1)*$/', $_GET['f']) || strpos($_GET['f'], '//') !== false || strpos($_GET['f'], '\\') !== false || preg_match('/(?:^|[^\\.])\\.\\//', $_GET['f'])) { $this->log("GET['f'] param invalid: \"{$_GET['f']}\""); return $options; } $files = explode(',', $_GET['f']); if (count($files) > $cOptions['maxFiles'] || $files != array_unique($files)) { $this->log("Too many or duplicate files specified: \"" . implode(', ', $files) . "\""); return $options; } if (!empty($_GET['b'])) { // check for validity if (preg_match('@^[^/]+(?:/[^/]+)*$@', $_GET['b']) && false === strpos($_GET['b'], '..') && $_GET['b'] !== '.') { // valid base $base = "/{$_GET['b']}/"; } else { $this->log("GET['b'] param invalid: \"{$_GET['b']}\""); return $options; } } else { $base = '/'; } $allowDirs = array(); foreach ((array) $cOptions['allowDirs'] as $allowDir) { $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir)); } foreach ($files as $file) { $path = $_SERVER['DOCUMENT_ROOT'] . $base . $file; $file = realpath($path); if (false === $file) { $this->log("Path \"{$path}\" failed realpath()"); return $options; } elseif (!parent::_fileIsSafe($file, $allowDirs)) { $this->log("Path \"{$path}\" failed Minify_Controller_Base::_fileIsSafe()"); return $options; } else { $sources[] = new Minify_Source(array('filepath' => $file)); } } } if ($sources) { $this->sources = $sources; } else { $this->log("No sources to serve"); } return $options; }
/** * Set up groups of files as sources * * @param array $options controller and Minify options * @return array Minify options * */ public function setupSources($options) { // filter controller options $cOptions = array_merge(array('allowDirs' => '//', 'groupsOnly' => false, 'groups' => array(), 'maxFiles' => 10), isset($options['minApp']) ? $options['minApp'] : array()); unset($options['minApp']); $sources = array(); if (isset($_GET['g'])) { // try groups if (!isset($cOptions['groups'][$_GET['g']])) { return $options; } foreach ((array) $cOptions['groups'][$_GET['g']] as $file) { if ($file instanceof Minify_Source) { $sources[] = $file; continue; } if (0 === strpos($file, '//')) { $file = $_SERVER['DOCUMENT_ROOT'] . substr($file, 1); } $file = realpath($file); if (is_file($file)) { $sources[] = new Minify_Source(array('filepath' => $file)); } else { // file doesn't exist return $options; } } } elseif (!$cOptions['groupsOnly'] && isset($_GET['f'])) { // try user files // The following restrictions are to limit the URLs that minify will // respond to. Ideally there should be only one way to reference a file. if (!preg_match('/^[^,]+\\.(css|js)(?:,[^,]+\\.\\1)*$/', $_GET['f']) || strpos($_GET['f'], '//') !== false || strpos($_GET['f'], '\\') !== false || preg_match('/(?:^|[^\\.])\\.\\//', $_GET['f'])) { return $options; } $files = explode(',', $_GET['f']); if (count($files) > $cOptions['maxFiles'] || $files != array_unique($files)) { // too many or duplicate files return $options; } if (isset($_GET['b'])) { // check for validity if (preg_match('@^[^/]+(?:/[^/]+)*$@', $_GET['b']) && false === strpos($_GET['b'], '..') && $_GET['b'] !== '.') { // valid base $base = "/{$_GET['b']}/"; } else { return $options; } } else { $base = '/'; } $allowDirs = array(); foreach ((array) $cOptions['allowDirs'] as $allowDir) { $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir)); } foreach ($files as $file) { $file = realpath($_SERVER['DOCUMENT_ROOT'] . $base . $file); // don't allow unsafe or duplicate files if (parent::_fileIsSafe($file, $allowDirs)) { $sources[] = new Minify_Source(array('filepath' => $file)); } else { // unsafe file return $options; } } } if ($sources) { $this->sources = $sources; } return $options; }