From 4eea005aa0fa1b5a31ac8e59a502df419ca012c4 Mon Sep 17 00:00:00 2001 From: "Namhyeon, Go" Date: Tue, 11 Mar 2025 14:42:32 +0900 Subject: [PATCH] Update index.php --- assets/php/index.php | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/assets/php/index.php b/assets/php/index.php index 312a961..9a015c0 100644 --- a/assets/php/index.php +++ b/assets/php/index.php @@ -480,25 +480,37 @@ function relay_fetch_url($params) { // from local source $local_prefix = "file:"; $pos = strpos($url, $local_prefix); - if ($pos !== false && $pos == 0) { - $path = substr($url, strlen($local_prefix)); + if ($pos !== false && $pos === 0) { + $path = realpath(substr($url, strlen($local_prefix))); + $basedir = realpath(__DIR__); - if (file_exists($path)) { - $response = file_get_contents($path); - return array( - "success" => true, - "result" => array( - "status" => 200, - "data" => $response - ) - ); + if ($path && strpos($path, $basedir) === 0) { + if (file_exists($path)) { + $response = file_get_contents($path); + return array( + "success" => true, + "result" => array( + "status" => 200, + "data" => $response + ) + ); + } else { + return array( + "success" => false, + "error" => array( + "status" => 404, + "code" => -1, + "message" => "Not found" + ) + ); + } } else { return array( "success" => false, "error" => array( - "status" => 404, + "status" => 403, "code" => -1, - "message" => "Not found" + "message" => "Access denied" ) ); }