Source Code
The entire project, readable in your browser. No hidden JavaScript, no sneaky beacons. If we claimed we don't track you, this is where you check.
|
Pages/
Feeds/
Backend/
Includes/
Stylesheet/
JavaScript/
data/counter.txt and data/guestbook.txt hold visitor-supplied content
(a number and signed messages), so they are not shown here.
|
1 <?php 2 /** 3 * source.php -- Source code viewer. 4 * Lists every file in the project and lets you read it in the browser, so the 5 * "we store nothing" claim is fully auditable. Uses a strict whitelist so only 6 * the project's own source is ever served (no path traversal, no secrets). 7 */ 8 require_once __DIR__ . '/includes/config.php'; 9 require_once __DIR__ . '/includes/functions.php'; 10 11 $PAGE_TITLE = 'Source'; 12 $PAGE_ID = 'source.php'; 13 14 // ----------------------------------------------------------------------------- 15 // Whitelist of viewable files (relative to project root). Only these can be 16 // opened. The data/ files are intentionally excluded (they hold guestbook text 17 // and the counter, i.e. visitor-supplied content, not source). 18 // ----------------------------------------------------------------------------- 19 $VIEWABLE = array( 20 'index.php', 'scan.php', 'browser.php', 'fingerprint.php', 'privacy.php', 21 'about.php', 'source.php', 'guestbook.php', 'rss.php', 'sitemap.php', 'robots.txt', 22 'api/scan.php', 23 'includes/config.php', 'includes/functions.php', 'includes/header.php', 24 'includes/nav.php', 'includes/footer.php', 25 'assets/css/style.css', 26 'assets/js/detect.js', 'assets/js/fingerprint.js', 'assets/js/scan.js', 27 'assets/js/terminal.js', 'assets/js/export.js', 28 ); 29 30 // Group for display. 31 $GROUPS = array( 32 'Pages' => array('index.php','scan.php','browser.php','fingerprint.php','privacy.php','about.php','source.php','guestbook.php'), 33 'Feeds' => array('rss.php','sitemap.php','robots.txt'), 34 'Backend' => array('api/scan.php'), 35 'Includes' => array('includes/config.php','includes/functions.php','includes/header.php','includes/nav.php','includes/footer.php'), 36 'Stylesheet' => array('assets/css/style.css'), 37 'JavaScript' => array('assets/js/detect.js','assets/js/fingerprint.js','assets/js/scan.js','assets/js/terminal.js','assets/js/export.js'), 38 ); 39 40 $requested = isset($_GET['f']) ? (string)$_GET['f'] : ''; 41 $requested = str_replace('\\', '/', $requested); 42 $valid = in_array($requested, $VIEWABLE, true); 43 44 // Resolve + double-check the path stays inside the project (defense in depth). 45 $content = null; $error = null; $size = 0; $lineCount = 0; 46 if ($requested !== '') { 47 if (!$valid) { 48 $error = 'That file is not in the viewable whitelist.'; 49 } else { 50 $full = realpath(BASE_PATH . DIRECTORY_SEPARATOR . $requested); 51 $root = realpath(BASE_PATH); 52 if ($full === false || strpos($full, $root) !== 0 || !is_readable($full)) { 53 $error = 'File could not be read.'; 54 } else { 55 $content = file_get_contents($full); 56 $size = strlen($content); 57 $lineCount = substr_count($content, "\n") + 1; 58 } 59 } 60 } 61 62 include __DIR__ . '/includes/header.php'; 63 ?> 64 65 <h1><?php echo section_icon('disk', '#00FF00', 22); ?> Source Code</h1> 66 67 <p> 68 The entire project, readable in your browser. No hidden JavaScript, no sneaky 69 beacons. If we claimed we don't track you, this is where you check. 70 </p> 71 72 <table class="cols layout"><tr> 73 <td class="col-side" style="width:280px"> 74 <div class="sidebox"> 75 <div class="sidebox-title"><?php echo section_icon('folder', '#FFFF00'); ?> File Tree</div> 76 <?php foreach ($GROUPS as $group => $files): ?> 77 <div class="green" style="margin-top:6px"><?php echo e($group); ?>/</div> 78 <ul class="retro" style="margin-left:12px;font-size:15px"> 79 <?php foreach ($files as $f): 80 $isCur = ($f === $requested); ?> 81 <li><a href="<?php echo eattr(url('source.php') . '?f=' . rawurlencode($f)); ?>"<?php echo $isCur ? ' class="current"' : ''; ?>><?php echo e(basename($f)); ?></a></li> 82 <?php endforeach; ?> 83 </ul> 84 <?php endforeach; ?> 85 <hr> 86 <div class="dim" style="font-size:14px"> 87 data/counter.txt and data/guestbook.txt hold visitor-supplied content 88 (a number and signed messages), so they are not shown here. 89 </div> 90 </div> 91 </td> 92 93 <td> 94 <?php if ($requested === ''): ?> 95 <div class="note"> 96 ← Pick a file from the tree to read it. Start with 97 <a href="<?php echo eattr(url('source.php') . '?f=' . rawurlencode('api/scan.php')); ?>">api/scan.php</a> 98 (the only backend) or 99 <a href="<?php echo eattr(url('source.php') . '?f=' . rawurlencode('assets/js/fingerprint.js')); ?>">fingerprint.js</a> 100 (the scary one). 101 </div> 102 <pre class="green"> 103 +-------------------------------------------+ 104 | Nothing selected. | 105 | Choose a file from the list on the left. | 106 +-------------------------------------------+</pre> 107 <?php elseif ($error !== null): ?> 108 <div class="badbx"><?php echo e($error); ?></div> 109 <?php else: ?> 110 <div class="panel"> 111 <div class="panel-title"> 112 <?php echo section_icon('disk'); ?> 113 <?php echo e($requested); ?> 114 <span class="dim" style="font-size:15px">(<?php echo e(human_bytes($size)); ?>, <?php echo e(number_format($lineCount)); ?> lines)</span> 115 </div> 116 <div class="panel-body"> 117 <div class="screen"> 118 <?php 119 // Render with line numbers, HTML-escaped. Kept simple and dependency-free. 120 $lines = explode("\n", $content); 121 echo '<pre style="font-size:14px;line-height:1.35">'; 122 $num = 1; 123 foreach ($lines as $ln) { 124 printf('<span class="dim">%4d</span> %s' . "\n", $num, e($ln)); 125 $num++; 126 } 127 echo '</pre>'; 128 ?> 129 </div> 130 </div> 131 </div> 132 <p class="center dim"> 133 You are reading the real file being executed on the server. What you see is what runs. 134 </p> 135 <?php endif; ?> 136 </td> 137 </tr></table> 138 139 <?php include __DIR__ . '/includes/footer.php'; ?> 140 You are reading the real file being executed on the server. What you see is what runs. |