Cleaned up file argument processing a bit

2025-04-21 00:12:56 +02:00 · 2003-01-12 06:53:25 +00:00 · 2003-01-12 06:53:25 +00:00 · 6ed3da1da4
commit 6ed3da1da4
parent 1685298e60
4 changed files with 43 additions and 26 deletions
--- a/file.php
+++ b/file.php
@ -8,14 +8,16 @@
    $lifetime = 86400;

    if (isset($file)) {     // workaround for situations where / syntax doesn't work
-        $PATH_INFO = $file;
+        $pathinfo = $file;
+    } else {
+        $pathinfo = get_slash_arguments("file.php");
    }

-    if (!$PATH_INFO) {
-        error("This script DEPENDS on PATH_INFO being available.  Read the README.");
+    if (!$pathinfo) {
+        error("No file parameters!");
    }

-    if (! $args = get_slash_arguments()) {
+    if (! $args = parse_slash_arguments($pathinfo)) {
        error("No valid arguments supplied");
    }

--- a/lib/weblib.php
+++ b/lib/weblib.php
@ -397,29 +397,44 @@ function validate_email ($address) {
                  $address));
 }

+function get_slash_arguments($file="file.php") {
+/// Searches the current environment variables for some slash arguments

-function get_slash_arguments($i=0) {
+    if (isset($_SERVER['PATH_INFO'])) {
+        return $_SERVER['PATH_INFO'];
+    }
+
+    if (isset($_SERVER['PHP_SELF'])) {
+        $string = $_SERVER['PHP_SELF'];
+    } else if (isset($_SERVER['REQUEST_URI'])) {
+        $string = $_SERVER['REQUEST_URI'];
+    } else {
+        return false;
+    }
+    $pathinfo = explode($file, $string);
+    
+    if (!empty($path_info[1])) {
+        return $path_info[1];
+    } else {
+        return false;
+    }
+}
+
+function parse_slash_arguments($string, $i=0) {
 /// Extracts arguments from "/foo/bar/something"
 /// eg http://mysite.com/script.php/foo/bar/something
-/// Might only work on Apache

-    global $PATH_INFO;
-
-    if (!isset($PATH_INFO)) {
+    if (strpos($string, "..")) { // check for parent URLs
+        return false;
+    }
+    if (strpos($string, "|")) {  // check for pipes
+        return false;
+    }
+    if (strpos($string, "`")) {  // check for backquotes
        return false;
    }

-    if (strpos($PATH_INFO, "..")) { // check for parent URLs
-        return false;
-    }
-    if (strpos($PATH_INFO, "|")) {  // check for pipes
-        return false;
-    }
-    if (strpos($PATH_INFO, "`")) {  // check for backquotes
-        return false;
-    }
-
-    $args = explode("/", $PATH_INFO);
+    $args = explode("/", $string);

    if ($i) {     // return just the required argument
        return $args[$i];
--- a/user/lib.php
+++ b/user/lib.php
@ -122,7 +122,7 @@ function save_user_image($userid, $filename) {
        }
    }
    
-    if ($badpermissions) {
+    if (!empty($badpermissions)) {
        return 0;

    } else {
--- a/user/pix.php
+++ b/user/pix.php
@ -7,14 +7,14 @@

    $lifetime = 86400;

-    if (isset($file)) {
-        $PATH_INFO = $file;
+    if (isset($file)) {     // workaround for situations where / syntax doesn't work
+        $pathinfo = $file;

-    } else if (!$PATH_INFO) {
-        $PATH_INFO = "";       // Will just show default picture
+    } else {
+        $pathinfo = get_slash_arguments("pix.php");
    }

-    if (! $args = get_slash_arguments()) {
+    if (! $args = parse_slash_arguments($pathinfo)) {
        error("No valid arguments supplied");
    }