-
Notifications
You must be signed in to change notification settings - Fork 25
/
index-ajax.php
45 lines (37 loc) · 1.16 KB
/
index-ajax.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
include 'manager/includes/helpers.php';
// Add items to this array corresponding to which directories within assets/snippets/ can be used by this file.
// Do not add entries unneccesarily.
// Any PHP files in these directories can be executed by any user.
$allowed_dirs[] = 'assets/snippets/ajaxSearch/';
if (getv('q') !== '') {
$q = getv('q');
} elseif (postv('q') !== '') {
$q = postv('q');
} else {
force_exit();
}
if (strpos(postv('ucfg'), '@EVAL') !== false) force_exit();
$base_path = str_replace('\\', '/', __DIR__) . '/';
$q = $base_path . $q;
$q = str_replace('\\', '/', $q);
$file_ext = strtolower(substr($q, -4));
if (!is_file($q) || $file_ext !== '.php' || strpos($q, $base_path . "assets/snippets/") !== 0)
force_exit();
// permission check
$allowed = false;
foreach ($allowed_dirs as $allowed_dir) {
if (strpos($q, $base_path . $allowed_dir) === 0) {
define('MODX_API_MODE', true);
include_once('index.php');
include_once($q);
exit;
}
}
force_exit();
// Force exit Function (404 Not Found)
function force_exit()
{
header($_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found');
exit('404 Not Found');
}