2

I have a website that is set up like this:

client request --> gate.php --> requested file

Every request the client sends goes to gate.php were it is parsed. Gate.php then includes the requested file from a restricted directory so that the client cannot access any file but gate.php.

Gate file:

<?php
$_uri = strtok($_SERVER["REQUEST_URI"],'?');
$_root = "<root>";
// Index //
switch($_uri) {
    case "/": $_uri = "<path>"; break;
    case "/css": $_uri = "<path>"; break;
    case "/js": $_uri = "<path>"; break;
    case "/font": $_uri = "<path>".strtok($_GET["p"],".")."/".$_GET["p"]; break;
    case "/ajax": $_uri = "<path>"; break;
    case "/signin": $_uri = "<path>"; break;
    case "/signup": $_uri = "<path>"; break;
    default:
        if(substr($_uri,0,8) == "/profile") { // profile
            $_uri = "<path>";
            $_page = substr($_uri,9);
        } else {
            header("HTTP/1.1 404");
            require_once($_root."<path>");
            die();
        }
}
!isset($_page) and isset($_GET["p"]) ? $_page = $_GET["p"] : 0;
// Mime //
$_path = explode(".",$_uri);
switch($_path[1]) {
    case "php": $_path[2] = "text/html"; break;
    case "css": $_path[2] = "text/css"; break;
    case "js": $_path[2] = "application/javascript"; break;
    case "xml": $_path[2] = "application/xml"; break;
    case "svg": $_path[2] = "application/xml+svg"; break;
    case "jpg": $_path[2] = "image/jpeg"; break;
    case "png": $_path[2] = "image/png"; break;
    case "otf": $_path[2] = "x-font/otf"; break;
    case "eot": $_path[2] = "x-font/eot"; break;
    case "ttf": $_path[2] = "x-font/ttf"; break;
    case "woff": $_path[2] = "x-font/woff"; break;
    default:
        header("HTTP/1.1 500");
        require_once($_root."<path>");
        die();
}
$_path[2] == "text/html" ? require_once($_root."<path>") : 0;
// File //
header("Content-Type: ".$_path[2]);
require_once($_root."/sys".$_uri);

?>

The problem is, when I pass a font file through the gate, the font file contains the text <? which PHP parses and returns an error.

Is there any way to escape the font file so that PHP does not parse it?

Krii
  • 907
  • 9
  • 23
  • please, share the `gate.php` source code –  Sep 27 '15 at 17:08
  • 1
    This approach it's a bad practice. I suggest you using htaccess rewrite to request non-php files http://stackoverflow.com/questions/19753315/how-can-i-return-static-files-in-php –  Sep 27 '15 at 17:19
  • @Diego Mariani The problem with that is that I have restricted all access to any file but `gate.php`. The file can only be accessed through the server. – Krii Sep 27 '15 at 17:30
  • 1
    I agree with @DiegoMariani, in your case, you could simply create a folder named public without the restriction and put all your images, fonts, scripts and styles there. That way, your controller can focus on serving the PHP pages and your server can handle everything else. – Marcos Dimitrio Sep 27 '15 at 17:36
  • Alright, I will do that (though it bothers me to upset the balance of my file system...[oh well]). – Krii Sep 27 '15 at 22:46

1 Answers1

2

You can only require files that can be interpreted by PHP. If you want to serve other kinds of files through your script, you have to output them by reading them.

Something like:

$file = 'myfontfile.ttf';

if (file_exists($file)) {
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: inline; filename="'.basename($file).'"');
    header('Content-Length: ' . filesize($file));
    readfile($file);
    exit;
}
Marcos Dimitrio
  • 6,651
  • 5
  • 38
  • 62
  • @DiegoMariani, `require` works with non-php as long as they can be interpreted by PHP, as I stated, such as HTML and text. A font file cannot be interpreted by PHP, that's why the OP is getting the error message. – Marcos Dimitrio Sep 27 '15 at 17:23
  • I will try this. (am trying to incorporate into gate file) – Krii Sep 27 '15 at 17:26