public function Handle($request)
{
// This gives complete request path
$request = jf::$BaseRequest;
//FIXME: Fix JCatchControl so that this is not required
if (jf::CurrentUser()) {
// If user is logged in
// Check if the user has permissions
// to view the challenges
if (jf::Check('view_single_chal')) {
// Extract the relative request path
// i.e the path after the controller URL
// Ex: If request is http://localhost/webgoatphp/mode/single/challenges/HTTPBasics/static/test
// $request will be mode/single/challenges/HTTPBasics/static/test
// $relativePath will be HTTPBasics/static/test
$relativePath = $this->getRelativePath($request);
$absolutePath = LESSON_PATH . $relativePath;
if (strpos($relativePath, "/static/") !== false) {
if (file_exists($absolutePath)) {
$FileMan = new \jf\DownloadManager();
return $FileMan->Feed($absolutePath);
}
} else {
$nameOfLesson = stristr($relativePath, "/", true);
\webgoat\LessonScanner::loadClasses();
if (strpos($relativePath, "reset/") !== false) {
$lessonNameWithNS = "\\webgoat\\" . $nameOfLesson;
$obj = new $lessonNameWithNS();
$obj->reset();
echo json_encode(array("status" => true));
return true;
} else {
if (isset($_GET['refresh']) || !jf::LoadGeneralSetting("categoryLessons")) {
\webgoat\LessonScanner::run();
}
$this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons");
try {
$lessonObj = \webgoat\LessonScanner::getLessonObject($nameOfLesson);
$lessonObj->start();
$this->lessonTitle = $lessonObj->getTitle();
$this->hints = $lessonObj->getHints();
$this->htmlContent = $lessonObj->getContent();
$this->nameOfLesson = $nameOfLesson;
$secureCoding = $lessonObj->isSecureCodingAllowed();
$sourceCodeToDisplay = "";
if ($secureCoding['status'] === true) {
$sourceCode = file($absolutePath . "index.php");
$firstLine = $sourceCode[$secureCoding['start']];
$this->indentSize = strlen($firstLine) - strlen(ltrim($firstLine));
for ($i = $secureCoding['start']; $i < $secureCoding['end']; $i++) {
$sourceCodeToDisplay .= $this->removeWhitespaces($sourceCode[$i]) . "\n";
}
$this->sourceCode = $sourceCodeToDisplay;
}
// To show complete PHP Code
$sourceCode = file_get_contents($absolutePath . "index.php");
$this->completeSourceCode = htmlentities($sourceCode);
if (isset($_POST['sourceCode'])) {
// Code to handle source code evaluation
}
} catch (Exception $e) {
//$this->error = "Lesson Not found. Please select a lesson.";
$this->error = $e->getMessage();
}
header("X-XSS-Protection: 0");
// Disable XSS protection
return $this->Present();
}
}
} else {
// Not sufficient permissions, redirect
// to home page of the application
$this->Redirect(SiteRoot);
}
} else {
// User not logged in
$this->Redirect(jf::url() . "/user/login?return=/{$request}");
}
}
$id = $_GET['id'] * 1;
$isAdmin = $_SESSION['user']['access'];
$initial_time = time();
function timeout()
{
global $initial_time;
static $timeout = null;
if ($timeout === null) {
$timeout = rand(3, 10);
}
if (time() - $initial_time > $timeout) {
flush();
die;
}
}
if (!$isAdmin) {
declare (ticks=1);
}
lib("download");
if (!$isAdmin) {
register_tick_function("timeout");
}
$dl = new \jf\DownloadManager();
if (!$isAdmin) {
$dl::$BandwidthLimitSpeed = 1024 / 8;
//128 bytes
$dl::$BandwidthLimitInitialSize = 1024;
//1KB
}
$dl->Feed(AvatarFile($id));
<?php
function do404()
{
header("404 Not Found");
echo "<h1>404 Not Found</h1>";
echo "<p>The requested URL " . htmlspecialchars($_SERVER['REQUEST_URI']) . " not found.</p>";
exit(0);
}
$request = $_GET['__r'];
unset($_GET['__r']);
$parts = explode("/", $request);
if ($parts[count($parts) - 1] == "") {
$parts[count($parts)] = "index";
}
$file = realpath(__DIR__ . "/static/" . implode("/", $parts));
if ($file and is_file($file)) {
if (!$file) {
do404();
}
require_once __DIR__ . "/lib/download.php";
$x = new \jf\DownloadManager();
$x->Feed($file);
} else {
$file = realpath(__DIR__ . "/app/" . implode("/", $parts) . ".php");
if (!$file) {
do404();
}
require_once __DIR__ . "/load.php";
require $file;
}