From: Joey Schulze <joey@infodrom.org>
Date: Thu, 25 Feb 2010 16:18:02 +0000 (+0100)
Subject: Automatically calculate the filesystem path of the application and use
X-Git-Tag: 2010-06-02_customer~218
X-Git-Url: https://git.infodrom.org/?p=misc%2Fkostenrechnung;a=commitdiff_plain;h=a19c85f249af5dd5db7b0cc62f3ba45243bbb82d

Automatically calculate the filesystem path of the application and use
it for reading and including files later
---

diff --git a/ajax/ajax.php b/ajax/ajax.php
index a709a03..57f35a3 100644
--- a/ajax/ajax.php
+++ b/ajax/ajax.php
@@ -60,7 +60,7 @@ if (empty($_POST['source']))
   exit;
 
 connect_db();
-if (load_mask($_POST['source'], '../') === false) exit;
+if (load_mask($_POST['source']) === false) exit;
 
 $data = array('error' => 'Unknown function');
 
diff --git a/lib/general.php b/lib/general.php
index fa250f8..278501e 100644
--- a/lib/general.php
+++ b/lib/general.php
@@ -21,12 +21,12 @@ function sanitise_filename($file)
   return str_replace('./','x',$file);
 }
 
-function load_mask($name, $prefix = '')
+function load_mask($name)
 {
   global $mask;
 
   $name = sanitise_filename($name);
-  $file = $prefix . 'masks/' . $name . '.php';
+  $file = $_SESSION['sys']['basedir'] . 'masks/' . $name . '.php';
 
   if (!file_exists($file))
     return false;
diff --git a/lib/login.php b/lib/login.php
index e45b4ec..35e6160 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -17,11 +17,18 @@ function check_passwd()
 
   if ($sth === false) return false;
 
+  if (substr($_SERVER['HTTP_REFERER'],-12) != '/?login=true'
+      || substr($_SERVER['SCRIPT_FILENAME'],-10) != '/index.php') {
+    error_log('Wrong referrer or wrong request uri');
+    return false;
+  }
+
   if ($row = pg_fetch_assoc($sth)) {
     $_SESSION['sys'] = array('uid' => $row['id'],
 			     'login' => $row['login'],
 			     'name' => $row['name'],
-			     'email' => $row['email']);
+			     'email' => $row['email'],
+			     'basedir' => substr($_SERVER['SCRIPT_FILENAME'],0,-9));
     return true;
   }