Index: www/redirect.php =================================================================== RCS file: /repository/docweb/www/redirect.php,v retrieving revision 1.9 diff -u -r1.9 redirect.php --- www/redirect.php 31 Jul 2005 13:57:02 -0000 1.9 +++ www/redirect.php 5 Dec 2006 17:38:16 -0000 @@ -42,17 +42,19 @@ $filename = preg_replace('/\?.*$/', '', $part); // remove webroot-escape attempts - $filename = str_replace(array('..', '//'), array('', '/'), $filename); + $filename = str_replace('..', '', $filename); - // fake DirectoryIndex - if (substr($filename, -1) == '/' || $filename == '') { - $filename .= 'index.php'; - } + // remove obsolete slashes + $filename = preg_replace('#/{2,}#', '/', $filename); + + // strip ending slashes + $filename = rtrim($filename, '/'); - $filename = "./$filename"; + $filename = './'.$filename; - if (is_dir($filename)) - return "$filename/index.php"; + if (is_dir($filename)) { + return $filename.'/index.php'; + } return $filename; } @@ -103,24 +105,31 @@ // If it's a PHP file include it, otherwise pass it through if (substr($uri, -4) == '.php') { require($uri); + return; } else { - // get the file mime type + // the file can't be a directory nor a php file + // Validate the mime type + $mime = false; foreach ($mime_types as $ext => $type) { - if (substr($uri, -strlen(ext)) == $ext) { + + if (substr($uri, -strlen($ext)) == $ext) { $mime = $type; break; } - } - header("Content-Type: $mime"); - readfile($uri); + } + if ($mime !== false) { + header("Content-Type: $mime"); + readfile($uri); + return; + } } -} else { - // no resource found: - header($_SERVER['SERVER_PROTOCOL']." 404 Not Found"); - $_SERVER["REDIRECT_STATUS"] = '404'; - $uri = '/'; - require('error.php'); } +// script has not exited yet, an error must have occured, display 404. +// no resource found: +header($_SERVER['SERVER_PROTOCOL']." 404 Not Found"); +$_SERVER["REDIRECT_STATUS"] = '404'; +$uri = '/'; +require('error.php'); ?>