[aur-dev] [PATCH] Return 404 for invalid account/package subpages

Tue, 30 Oct 2012 07:11:58 -0700 

Display an error page and return a 404 status code in the following
cases:

* An invalid package name is passed to the "packages" action.
* An invalid user name is passed to the "account" action.
* An invalid package action is passed.
* An invalid account action is passed.

Signed-off-by: Lukas Fleischer <[email protected]>
---
 web/html/index.php | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/web/html/index.php b/web/html/index.php
index 422c0e5..3b46ab9 100644
--- a/web/html/index.php
+++ b/web/html/index.php
@@ -7,15 +7,21 @@ include_once("pkgfuncs.inc.php");
 $path = $_SERVER['PATH_INFO'];
 $tokens = explode('/', $path);
 
-if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
-       if (isset($tokens[2])) {
+if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
+       if (!empty($tokens[2])) {
                /* TODO: Create a proper data structure to pass variables from
                 * the routing framework to the individual pages instead of
                 * initializing arbitrary variables here. */
                $pkgname = $tokens[2];
                $pkgid = pkgid_from_name($pkgname);
 
-               if (isset($tokens[3])) {
+               if (!$pkgid) {
+                       header("HTTP/1.0 404 Not Found");
+                       include "./404.php";
+                       return;
+               }
+
+               if (!empty($tokens[3])) {
                        if ($tokens[3] == 'voters') {
                                $_GET['ID'] = pkgid_from_name($tokens[2]);
                                include('voters.php');
@@ -49,6 +55,10 @@ if (isset($tokens[1]) && '/' . $tokens[1] == 
get_pkg_route()) {
                        case "merge":
                                include('pkgmerge.php');
                                return;
+                       default:
+                               header("HTTP/1.0 404 Not Found");
+                               include "./404.php";
+                               return;
                        }
 
                        if (isset($_COOKIE['AURSID'])) {
@@ -60,17 +70,25 @@ if (isset($tokens[1]) && '/' . $tokens[1] == 
get_pkg_route()) {
        }
 
        include get_route('/' . $tokens[1]);
-} elseif (isset($tokens[1]) && '/' . $tokens[1] == get_user_route()) {
-       if (isset($tokens[2])) {
-               $_REQUEST['U'] = $tokens[2];
+} elseif (!empty($tokens[1]) && '/' . $tokens[1] == get_user_route()) {
+       if (!empty($tokens[2])) {
+               $_REQUEST['ID'] = uid_from_username($tokens[2]);
 
-               if (isset($tokens[3])) {
+               if (!$_REQUEST['ID']) {
+                       header("HTTP/1.0 404 Not Found");
+                       include "./404.php";
+                       return;
+               }
+
+               if (!empty($tokens[3])) {
                        if ($tokens[3] == 'edit') {
                                $_REQUEST['Action'] = "DisplayAccount";
                        } elseif ($tokens[3] == 'update') {
                                $_REQUEST['Action'] = "UpdateAccount";
                        } else {
-                               $_REQUEST['Action'] = "AccountInfo";
+                               header("HTTP/1.0 404 Not Found");
+                               include "./404.php";
+                               return;
                        }
                } else {
                        $_REQUEST['Action'] = "AccountInfo";
-- 
1.8.0

Reply via email to