From fcf0495a3858696db9bf19c26c6b7e2e785b9743 Mon Sep 17 00:00:00 2001
From: Diederik de Groot <ddegroot@talon.nl>
Date: Sat, 15 Feb 2020 23:42:46 +0100
Subject: [PATCH] Add isValidRequest() function

Signed-off-by: Diederik de Groot <ddegroot@talon.nl>
---
 lib/resolver.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/resolver.php b/lib/resolver.php
index 414e625..1c1f057 100755
--- a/lib/resolver.php
+++ b/lib/resolver.php
@@ -8,6 +8,7 @@ include_once("config.php");
  - improve error handling
  - secure urlencoding/urldecoding
  - don't allow browsing
+   - See isValidRequest()
  - check source ip-range
  - check HTTPHeader for known BrowserTypes
 */
@@ -76,7 +77,16 @@ class Resolver {
 		unset($this->cache[$hash]);
 		$this->isDirty = TRUE;
 	}
+	function isValidRequest($request) {
+		/* todo: make sure request does not startwith or contain: "/", "../" or "/./" */
+		/* todo: make sure request only starts with filename or one of $config[$subdir]['locale'] or $config[$subdir]['wallpaper'] */
+		/* todo: check uri/url decode */
+		return TRUE;
+	}
 	function resolve($request) /* canthrow */ {
+		if (!$this->isValidRequest($request)) {
+			throw new Exception("Invalid request:'$request'");
+		}
 		$path = '';
 		if (array_key_exists($request, $this->cache)) {
 			if ($path = $this->cache[$request]) {