From f1d86e031906620e7f980078da87299fa35ea4d3 Mon Sep 17 00:00:00 2001 From: Michael Hawkins Date: Wed, 1 Jul 2020 17:42:05 +0800 Subject: [PATCH] MDL-68426 theme: Set a limit on paths length in yui_combo The maximum paths length is now consistent with the YUI loader. This fix also removes any duplicate paths, so each file is only ever fetched once. --- theme/yui_combo.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/theme/yui_combo.php b/theme/yui_combo.php index acbd6c010c6..b74f3bd62c9 100644 --- a/theme/yui_combo.php +++ b/theme/yui_combo.php @@ -38,9 +38,21 @@ if (!$parts) { combo_not_found(); } -$etag = sha1($parts); $parts = trim($parts, '&'); +// Remove any duplicate parts, since each file only needs to be loaded once (which also helps reduce total file size). +$parts = implode('&', array_unique(explode('&', $parts))); + +// Limit length of parts to match the YUI loader limit of 1024, to prevent loading an arbitrary number of files. +if (strlen($parts) > 1024) { + $parts = substr($parts, 0, 1024); + + // If the shortened $parts has been cut off mid-way through a filename, trim back to the end of the previous filename. + if (substr($parts, -3) !== '.js' && substr($parts, -4) !== '.css') { + $parts = substr($parts, 0, strrpos($parts, '&')); + } +} + // find out what we are serving - only one type per request $content = ''; if (substr($parts, -3) === '.js') { @@ -51,6 +63,8 @@ if (substr($parts, -3) === '.js') { combo_not_found(); } +$etag = sha1($parts); + // if they are requesting a revision that's not -1, and they have supplied an // If-Modified-Since header, we can send back a 304 Not Modified since the // content never changes (the rev number is increased any time the content changes) -- 2.36.1