mirror of
https://github.com/smogon/pokemon-showdown-client.git
synced 2026-03-21 17:50:29 -05:00
189a987526
This is mostly useful for the testclient, which otherwise can't interact with the login server without huge hacks like the iframe copy/paste. Requiring an external sid resolves any security issues; sid being the only cookie we use for security-sensitive things, and also being our CSRF token. In theory, this is also useful for clients that don't support cookies, although I'm unsure how they'd get their hands on an sid in the first place. I guess just run login actions?
38 lines
994 B
PHP
38 lines
994 B
PHP
<?php
|
|
|
|
/*
|
|
|
|
License: GPLv2 or later
|
|
<http://www.gnu.org/licenses/gpl-2.0.html>
|
|
|
|
*/
|
|
|
|
error_reporting(E_ALL);
|
|
|
|
if (@$_GET['act'] === 'dlteam') {
|
|
header("Content-Type: text/plain");
|
|
if (substr(@$_SERVER['HTTP_REFERER'], 0, 32) !== 'https://play.pokemonshowdown.com') {
|
|
// since this is only to support Chrome on HTTPS, we can get away with a very specific referer check
|
|
die("access denied");
|
|
}
|
|
echo base64_decode(@$_GET['team']);
|
|
die();
|
|
}
|
|
|
|
if (preg_match('/^http\\:\\/\\/[a-z0-9]+\\.psim\\.us\\//', $_SERVER['HTTP_REFERER'] ?? '')) {
|
|
header("Access-Control-Allow-Origin: *");
|
|
} else if ($_POST['sid'] ?? null) {
|
|
header("Access-Control-Allow-Origin: *");
|
|
}
|
|
// header("X-Debug: " . @$_SERVER['HTTP_REFERER']);
|
|
|
|
include_once 'lib/ntbb-session.lib.php';
|
|
include_once '../pokemonshowdown.com/config/servers.inc.php';
|
|
include_once 'lib/dispatcher.lib.php';
|
|
|
|
$dispatcher = new ActionDispatcher(array(
|
|
new DefaultActionHandler(),
|
|
new LadderActionHandler()
|
|
));
|
|
$dispatcher->executeActions();
|