From 9caf7e3c4588b9e5f3c4471e0ba6597a49a44941 Mon Sep 17 00:00:00 2001
From: steckbrief <steckbrief@chefmail.de>
Date: Mon, 19 Sep 2016 12:48:23 +0200
Subject: add access check to i.php for every file request

---
 i.php                        | 44 ++++++--------------------------------------
 include/access_check.inc.php | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 38 deletions(-)
 create mode 100644 include/access_check.inc.php

diff --git a/i.php b/i.php
index 8b3e89bcd..2225f09dd 100644
--- a/i.php
+++ b/i.php
@@ -29,8 +29,7 @@ defined('PWG_LOCAL_DIR') or define('PWG_LOCAL_DIR', 'local/');
 defined('PWG_DERIVATIVE_DIR') or define('PWG_DERIVATIVE_DIR', $conf['data_location'].'i/');
 
 @include(PHPWG_ROOT_PATH.PWG_LOCAL_DIR .'config/database.inc.php');
-
-include(PHPWG_ROOT_PATH . 'include/Logger.class.php');
+include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
 
 $logger = new Logger(array(
   'directory' => PHPWG_ROOT_PATH . $conf['data_location'] . $conf['log_dir'],
@@ -41,40 +40,6 @@ $logger = new Logger(array(
   'filename' => 'log_' . date('Y-m-d') . '_' . sha1(date('Y-m-d') . $conf['db_password']) . '.txt',
   ));
 
-
-function trigger_notify() {}
-function get_extension( $filename )
-{
-  return substr( strrchr( $filename, '.' ), 1, strlen ( $filename ) );
-}
-
-function mkgetdir($dir)
-{
-  if ( !is_dir($dir) )
-  {
-    global $conf;
-    if (substr(PHP_OS, 0, 3) == 'WIN')
-    {
-      $dir = str_replace('/', DIRECTORY_SEPARATOR, $dir);
-    }
-    $umask = umask(0);
-    $mkd = @mkdir($dir, $conf['chmod_value'], true);
-    umask($umask);
-    if ($mkd==false && !is_dir($dir) /* retest existence because of potential concurrent i.php with slow file systems*/)
-    {
-      return false;
-    }
-
-    $file = $dir.'/index.htm';
-    file_exists($file) or @file_put_contents( $file, 'Not allowed!' );
-  }
-  if ( !is_writable($dir) )
-  {
-    return false;
-  }
-  return true;
-}
-
 // end fast bootstrap
 
 function ierror($msg, $code)
@@ -258,11 +223,11 @@ function parse_request()
     }
   }
 
-  if (is_file(PHPWG_ROOT_PATH.$req.$ext))
+  if (@is_file(PHPWG_ROOT_PATH.$req.$ext))
   {
     $req = './'.$req; // will be used to match #iamges.path
   }
-  elseif (is_file(PHPWG_ROOT_PATH.'../'.$req.$ext))
+  elseif (@is_file(PHPWG_ROOT_PATH.'../'.$req.$ext))
   {
     $req = '../'.$req;
   }
@@ -345,6 +310,9 @@ function try_switch_source(DerivativeParams $params, $original_mtime)
 function send_derivative($expires)
 {
   global $page;
+  
+  include_once(PHPWG_ROOT_PATH.'include/access_check.inc.php');
+  checkAccess();
 
   if (isset($_GET['ajaxload']) and $_GET['ajaxload'] == 'true')
   {
diff --git a/include/access_check.inc.php b/include/access_check.inc.php
new file mode 100644
index 000000000..26f77afa9
--- /dev/null
+++ b/include/access_check.inc.php
@@ -0,0 +1,41 @@
+<?php
+function doError($code, $str) {
+  set_status_header($code);
+  echo $str ;
+  exit();
+}
+
+/**
+ * exits if there is no access.
+ */
+function checkAccess() {
+  global $page;
+
+  $picid = '';
+  $query = 'SELECT id FROM '.IMAGES_TABLE.' WHERE path=\''.$page['src_location'].'\';';
+  $result = pwg_query($query);
+  if (!is_object($result)) {
+    header('Location:'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
+  }
+  if (($row = pwg_db_fetch_assoc($result))) {
+    if (isset($row['id'])) {
+      $picid = $row['id'];
+    } else {
+      doError(404, 'Requested id not found');
+    }
+  } else {
+    doError(404, 'Requested id not found');
+  }
+  
+  $query = 'SELECT id FROM '.CATEGORIES_TABLE.' INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON category_id = id WHERE image_id = '.$picid.' '.get_sql_condition_FandF(
+    array(
+        'forbidden_categories' => 'category_id',
+        'forbidden_images' => 'image_id',
+      ),
+    '    AND'
+    ).'
+    LIMIT 1;';
+  if (pwg_db_num_rows(pwg_query($query)) < 1) {
+    doError(401, 'Access denied');
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3