Jeff Terrell

Jeff Terrell
Ph.D. Computer Science, 2009
University of North Carolina at Chapel Hill

jsterrel AT

View Source of viewsource.php

In the interest of open source, and in the interest of keeping Mr. Webmaster honest, here is the PHP source of viewsource.php. (This encourages him to write clean, easy-to-understand code...well, relatively clean and easy-to-understand, that is.) If you become interested in PHP, you can read more about it at PHP: Hypertext Preprocessor. You will also see plenty of HTML code, which is what makes the World Wide Web go 'round. You can read more about HTML (and CSS, another technology used on this site) here, at the official page of the very official World Wide Web Consortium (W3C). Anyway, enough rambling, here's the code!

<?php include("header1.php"); ?>
<?php $THIS_FILE 
  <title>View Source</title>
  <link rel="stylesheet" href="default.css" type="text/css" charset="iso-8859-1" title="Default" />
<?php include("header2.php"); ?>
include("localheader.php"); ?>
if (isset($_GET["file"])) {
$file $_GET["file"];
  } else {
$file $THIS_FILE;

#Strip out one or more '../' and './' to avoid hacks like:
  # Bug - allowed './../../../etc/passwd' - reported by Justin V.
  #$file = preg_replace('/^(\.\.\/)+/', "", $file);
  # Bug - allowed 'foo/../../../../etc/passwd' - reported by Justin V.
  # $file = preg_replace('/^[\.\/]+/', $file);
  # Changed from a sanitization approach to just quitting on match.
if (!preg_match('/\.\.\//'$file)) {
$fullFilename "/afs/$file";

"<h1>View Source of $file</h1>\n";
$path_parts pathinfo("$fullFilename");
  if (isset(
$fullFilename) &&
is_file($fullFilename) &&
is_readable($fullFilename) &&
$path_parts["extension"] == "php") {
"<p>In the interest of open source, and in the interest of keeping Mr. Webmaster honest, here is the PHP source of $file.  (This encourages him to write clean, easy-to-understand code...well, <em>relatively</em> clean and easy-to-understand, that is.)  If you become interested in PHP, you can read more about it at <a href=\"\">PHP: Hypertext Preprocessor</a>.  You will also see plenty of HTML code, which is what makes the World Wide Web go 'round.  You can read more about HTML (and CSS, another technology used on this site) <a href=\"\">here</a>, at the official page of the very official World Wide Web Consortium (W3C).  Anyway, enough rambling, here's the code!</p><hr />\n";
"<div class=\"source\">\n";
  } elseif (!isset(
$fullFilename)) {
"<p>Hey, wise guy!  What do you think you're doing?  Tampering with the filename is not allowed.  Go hack somebody else's web server, and leave me alone.  Punk.</p>\n";
  } elseif (
$path_parts["extension"] != "php") {
"<p>Whoops!  You can only view the source of files with a .php extension.  It wouldn't make sense to view the source of, say, an image, now would it?</p>\n";
  } else {
"<p>Whoops!  That file doesn't exist.  You can notify the webmaster, if you wish.  Just send an email to <a href=\"mailto:jsterrel AT cs DOT\">jsterrel AT cs DOT</a> and mention that the file you're trying to view the source of is &quot;$fullFilename&quot;.  Thanks, have a nice day, and go splash in a puddle for me.</p>";

<?php include("footer.php"); ?>
viewsource.php: Last Modified: 08/13/07@20:34:26 | Size: 2780 bytes | View Source