|
8 | 8 | * |
9 | 9 | * Test Plan: |
10 | 10 | * |
11 | | - * $ REQUEST_URI="/example" php purge.php |
| 11 | + * $ STRIKETRACKER_TOKEN='*' STRIKETRACKER_ACCOUNT='*' PURGE_URI='/example' php purge.php |
12 | 12 | */ |
13 | 13 |
|
14 | | -if ( !isset( $_SERVER[ 'REQUEST_URI' ] ) |
15 | | - || !function_exists( 'curl_init' ) |
16 | | -) { |
| 14 | +if ( !function_exists( 'curl_init' ) ) { |
17 | 15 | http_response_code( 500 ); |
18 | 16 | echo "Context error.\n"; |
19 | 17 | exit; |
20 | 18 | } |
21 | 19 |
|
| 20 | +// Use a map to validate values and as indirection to ensure trivial bugs |
| 21 | +// can't result in a user-supplied string getting used. |
| 22 | +$purgeHostnames = [ |
| 23 | + 'code' => 'code.jquery.com', |
| 24 | + 'releases' => 'releases.jquery.com', |
| 25 | +]; |
| 26 | + |
22 | 27 | // Highwinds StrikeTracker |
23 | 28 | $striketrackerUrl = getenv( 'STRIKETRACKER_URL' ) ?: 'https://striketracker.highwinds.com'; |
24 | 29 | $striketrackerToken = getenv( 'STRIKETRACKER_TOKEN' ) ?: false; |
25 | 30 | $striketrackerAccountHash = getenv( 'STRIKETRACKER_ACCOUNT' ) ?: false; |
26 | | -// This is configurable because the purge script may be invoked |
27 | | -// from a hostname different from the one canonically serving the asset, |
28 | | -// or. e.g. from the CLI. |
29 | | -$striketrackerPurgeHostname = getenv( 'STRIKETRACKER_PURGE_HOSTNAME' ) ?: 'code.jquery.com'; |
| 31 | + |
| 32 | +// The purge script is generally not called from a purgable site, so the current request |
| 33 | +// is unlikely to be on the purgable site itself (e.g. some origin server instead of the |
| 34 | +// public hostname). As such, take the target site as input. This also allows the same |
| 35 | +// script to be used for multiple sites. |
| 36 | +$purgeSite = getenv( 'PURGE_SITE' ) ?: @$_GET['site'] ?: 'releases'; |
| 37 | +$striketrackerPurgeHostname = @$purgeHostnames[$purgeSite] ?: false; |
| 38 | + |
| 39 | +$purgeUri = getenv( 'PURGE_URI' ) ?: @$_GET['uri'] ?: @$_SERVER['REQUEST_URI'] ?: false; |
30 | 40 |
|
31 | 41 | if ( !$striketrackerUrl |
32 | 42 | || !$striketrackerToken |
33 | 43 | || !$striketrackerAccountHash |
34 | 44 | || !$striketrackerPurgeHostname |
| 45 | + || !$purgeUri |
35 | 46 | ) { |
36 | | - $configFile = __DIR__ . '/config.json'; |
37 | | - $configJson = @file_get_contents( $configFile ); |
38 | | - $config = $configJson ? json_decode( $configJson ) : false; |
39 | | - $hwConfig = $config ? $config->highwinds : false; |
40 | | - if ( !$hwConfig |
41 | | - || !$hwConfig->api_url |
42 | | - || !$hwConfig->api_token |
43 | | - || !$hwConfig->account_hash |
44 | | - || !$hwConfig->file_hostname |
45 | | - ) { |
46 | | - http_response_code( 500 ); |
47 | | - echo "Configuration error.\n"; |
48 | | - exit; |
49 | | - } |
50 | | - $striketrackerUrl = $hwConfig->api_url; |
51 | | - $striketrackerToken = $hwConfig->api_token; |
52 | | - $striketrackerAccountHash = $hwConfig->account_hash; |
53 | | - $striketrackerPurgeHostname = $hwConfig->file_hostname; |
| 47 | + |
| 48 | + http_response_code( 400 ); |
| 49 | + echo "Configuration error.\n"; |
| 50 | + exit; |
54 | 51 | } |
55 | 52 |
|
56 | 53 | // The StrikeTracker Purge API is protocol-sensitive. |
57 | 54 | // HTTP and HTTPS need to be purged separately, or |
58 | 55 | // we can use a protocol-relative file url, which Highwinds |
59 | 56 | // supports as short-cut for purging both. |
60 | | -$file = "//{$striketrackerPurgeHostname}/" . ltrim( $_SERVER[ 'REQUEST_URI' ], '/' ); |
| 57 | +$file = "//{$striketrackerPurgeHostname}/" . ltrim( $purgeUri, '/' ); |
61 | 58 |
|
62 | 59 | /** |
63 | 60 | * Make an HTTP POST request, submitting JSON data, and receiving JSON data. |
|
0 commit comments