1<?php 2/** 3 * Helper for DokuWiki Plugin netlogo 4 * 5 * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html 6 * @author Rik Blok <rik.blok@ubc.ca> 7 * 8 * ToDo: 9 * * don't allow access to any folder above data/media. Use relativePath() to compare? [Rik, 2012-10-06] 10 * * assume filetype is .nlogo and append to $src. Prevents from accessing other filetypes. [Rik, 2012-10-06] 11 */ 12 13// get url parameters 14$src = $_GET['src']; 15$expires = $_GET['expires']; 16$token = $_GET['token']; 17 18// relative path to DokuWiki root 19if (!defined('DOKU_INC')) define('DOKU_INC', "../../../../"); // assumes servefile.php nested four levels beneath root, in DOKU_INC.'lib/plugins/netlogo/inc/' 20 21// check token 22$uuidfile = DOKU_INC.'data/tmp/plugin_netlogo_uuid'; 23$uuid = file_get_contents($uuidfile); 24//$expectedtoken=crypt($src.$expires,$uuid); // error: can change expires=... in url (eg. increment by 1) with no problem. Why? Maybe crypt() has max length for $str? Or am I misusing crypt()? [Rik, 2012-10-06] 25$expectedtoken=hash('sha256',$uuid.$src.$expires); // debugging [Rik, 2012-10-06] - replace crypt() for more than first 8 chars 26if ($token != $expectedtoken) die(); 27 28// check expiration 29if (time() > $expires) die(); 30 31// check file exists and is readable 32$src = DOKU_INC . 'data/media/' . $src; 33if (!is_readable($src)) die(); 34 35// all ok, serve file 36echo file_get_contents($src); 37 38// vim:ts=4:sw=4:et: 39