projects / bookreader.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
For old loans, the uuid is actually a text string, not a uuid.
[bookreader.git] / BookReaderIA / www / BookReaderAuth.php
diff --git a/BookReaderIA/www/BookReaderAuth.php b/BookReaderIA/www/BookReaderAuth.php
index 79e0ffb..04f25f7 100644 (file)
--- a/BookReaderIA/www/BookReaderAuth.php
+++ b/BookReaderIA/www/BookReaderAuth.php
@@ -18,15 +18,35 @@ This file is part of BookReader.
     along with BookReader.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-$id = $_POST['id'];
-$uuid = $_POST['uuid'];
-$token = $_POST['token'];
-$bookPath = $_POST['bookPath'];
+$id = $_REQUEST['id'];
+$uuid = $_REQUEST['uuid'];
+$token = $_REQUEST['token'];
+$bookPath = $_REQUEST['bookPath'];
+
+if (!preg_match('/^\d{10}-[0-9a-f]{32}$/', $token)) {
+    fatal();
+}
+
+//if (!preg_match('/^[0-9a-f]{32}$/', $uuid)) {
+if (!preg_match('/^\S{1,128}$/', $uuid)) {
+    fatal();
+}
+
+if (!preg_match('/^[a-zA-Z0-9][a-zA-Z0-9\.\-_]{1,100}$/', $id)) {
+    fatal();
+}
+
+if (!preg_match("|^/stream/$id|", $bookPath)) {
+    fatal();
+}
 
-// XXX sanitize incoming params!
 setcookie('br-loan-' . $id, $uuid, 0, '/', '.archive.org');
 setcookie('loan-' . $id, $token, 0, '/', '.archive.org');
 
 header('Location: ' . $bookPath);
 
-?>
\ No newline at end of file
+function fatal() {
+    echo "Malformed request.";
+    die(-1);
+}
+?>
Unnamed repository; edit this file 'description' to name the repository.