configuration added and updated

html/configuration.php.in

@@ -0,0 +1,6 @@
+<?php
+$server_password=file_get_contents('@PKGSYSCONFDIR@/password');
+require('@PKGSYSCONFDIR@/settings.php');
+if (!$server_password) error_die('no server password');
+if (!isset($_REQUEST['secret'])) require('@PKGSYSCONFDIR@/authentication.php');
+?>

html/index.php

@@ -2,6 +2,7 @@
    mb_internal_encoding("utf8");
    $subpath="";
    $file="";
+   $username="";
    function error_die($reason, $status='500 Internal Server Error') {
      header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
      header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
@@ -11,6 +12,7 @@
      header('HTTP/1.0 '.$status);
      die('<html><body><h1>Error: '.$status.'</h1><p>'.$reason.'</p>');
    }
+   require('configuration.php');
    function alt(&$p1 = NULL, &$p2 = NULL, &$p3 = NULL) {
      if (isset($p1)) return $p1;
      if (isset($p2)) return $p2;
@@ -57,9 +59,10 @@
    }
    function checkPath($pathToCheck) {
      global $path, $subpath;
-     if (ereg('^[-_a-zA-Z0-9äöüÄÖÜ/]*$', $pathToCheck) && is_dir($path.'/'.$pathToCheck)) {
+     $fullpath = $path.'/'.$pathToCheck
+     if ($fullpath==realpath($fullpath) && is_dir($fullpath)) {
        $subpath=$pathToCheck;
-       $path .= '/'.$pathToCheck;
+       $path = $fullpath;
      } else {
       error_die('path not allowed: '.htmlentities($pathToCheck));
      }
@@ -153,13 +156,7 @@
        makelink($link, $img, $filename);
      }
    }
-   $server_password=file_get_contents('/etc/gallery/password');
-   require('/etc/gallery/settings.php');
-   if (!$server_password) $server_password=str_shuffle(sha1(rand().time()."ashu87as"));
-   $username="";
    if (!isset($_REQUEST['secret'])) {
-     require('/etc/gallery/authentication.php');
-     require('/etc/gallery/usersettings.php');
      if ($username=="") error_die('not authorized', '403 Forbidden');
      if (isset($_REQUEST['path'])) checkPath($_REQUEST['path']);
      if (isset($_REQUEST['folder']) && !ereg('/', $_REQUEST['folder'])) {