DiskCache: more strict checking for input filenames, getUrl() is no longer static

5 files changed, 16 insertions, 16 deletions

diff --git a/classes/article.php b/classes/article.php
index 62ea1f3b9..67b1a4a05 100755
--- a/classes/article.php
+++ b/classes/article.php
@@ -673,10 +673,12 @@ class Article extends Handler_Protected {
 
 		$rv = array();
 
+		$cache = new DiskCache("images");
+
 		while ($line = $sth->fetch()) {
 
-			if (file_exists(CACHE_DIR . '/images/' . sha1($line["content_url"]))) {
-				$line["content_url"] = DiskCache::getUrl(sha1($line["content_url"]));
+			if ($cache->exists(sha1($line["content_url"]))) {
+				$line["content_url"] = $cache->getUrl(sha1($line["content_url"]));
 			}
 
 			array_push($rv, $line);
diff --git a/classes/diskcache.php b/classes/diskcache.php
index 41609d6b5..92fd23ad4 100644
--- a/classes/diskcache.php
+++ b/classes/diskcache.php
@@ -3,7 +3,7 @@ class DiskCache {
 	private $dir;
 
 	public function __construct($dir) {
-		$this->dir = CACHE_DIR . "/" . basename($dir);
+		$this->dir = CACHE_DIR . "/" . clean_filename($dir);
 	}
 
 	public function getDir() {
@@ -39,7 +39,7 @@ class DiskCache {
 	}
 
 	public function getFullPath($filename) {
-		$filename = basename($filename);
+		$filename = clean_filename($filename);
 
 		return $this->dir . "/" . $filename;
 	}
@@ -72,8 +72,8 @@ class DiskCache {
 		return send_local_file($this->getFullPath($filename));
 	}
 
-	static public function getUrl($filename) {
-		return get_self_url_prefix() . "/public.php?op=cached_url&file=" . $filename;
+	public function getUrl($filename) {
+		return get_self_url_prefix() . "/public.php?op=cached_url&file=" . basename($this->dir) . "/" . $filename;
 	}
 
 	// check for locally cached (media) URLs and rewrite to local versions
@@ -103,7 +103,7 @@ class DiskCache {
 
 					if ($cache->getSize($cached_filename) > 0) {
 
-						$src = DiskCache::getUrl(sha1($src));
+						$src = $cache->getUrl(sha1($src));
 
 						if ($entry->hasAttribute('poster'))
 							$entry->setAttribute('poster', $src);
diff --git a/classes/handler/public.php b/classes/handler/public.php
index 901844e36..4c904231e 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -1202,13 +1202,7 @@ class Handler_Public extends Handler {
 	}
 
 	function cached_url() {
-		$filename = $_GET['file'];
-
-		if (strpos($filename, "/") !== FALSE) {
-			list ($cache_dir, $filename) = explode("/", $filename, 2);
-		} else {
-			$cache_dir = "images";
-		}
+		list ($cache_dir, $filename) = explode("/", $_GET["file"], 2);
 
 		$cache = new DiskCache($cache_dir);
 
diff --git a/include/functions.php b/include/functions.php
index 5a66e53b9..3f80ba5ba 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -594,6 +594,10 @@
 		}
 	}
 
+	function clean_filename($filename) {
+		return basename(preg_replace("/\.\.|[\/\\\]/", "", $filename));
+	}
+
 	function make_password($length = 12) {
 		$password = "";
 		$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ*%+^";
diff --git a/plugins/cache_starred_images/init.php b/plugins/cache_starred_images/init.php
index 916cedd53..967569543 100755
--- a/plugins/cache_starred_images/init.php
+++ b/plugins/cache_starred_images/init.php
@@ -101,7 +101,7 @@ class Cache_Starred_Images extends Plugin {
 		$local_filename = $article_id . "-" . sha1($enc["content_url"]);
 
 		if ($this->cache->exists($local_filename)) {
-			$enc["content_url"] = DiskCache::getUrl("starred-images/" . $local_filename);
+			$enc["content_url"] = $this->cache->getUrl($local_filename);
 		}
 
 		return $enc;
@@ -123,7 +123,7 @@ class Cache_Starred_Images extends Plugin {
 					$local_filename = $article_id . "-" . sha1($src);
 
 					if ($this->cache->exists($local_filename)) {
-						$entry->setAttribute("src", DiskCache::getUrl("starred-images/" . $local_filename));
+						$entry->setAttribute("src", $this->cache->getUrl($local_filename));
 						$entry->removeAttribute("srcset");
 					}
 				}