From 6e2ff815f1a6267fb33ee69f6bfe6dc24adfc3b9 Mon Sep 17 00:00:00 2001
From: Chad <shit@rooted.cat>
Date: Tue, 17 Jan 2017 18:43:03 -0500
Subject: [PATCH] Fixed vulnerability.

view-source: codiad/data/users.php
nginx with fast cgi will disclose the commented out json unless you add a new line before hand.
Fixes username, password "sha1(md5(password))", and last project from being disclosed to public.
---
 common.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/common.php b/common.php
index 8f7bcd4..aead3d2 100644
--- a/common.php
+++ b/common.php
@@ -180,6 +180,7 @@
             }
 
             $json = file_get_contents($path . $file);
+            $json = str_replace(["\n\r", "\r", "\n"], "", $json);
             $json = str_replace("|*/?>","",str_replace("<?php/*|","",$json));
             $json = json_decode($json,true);
             return $json;
@@ -197,7 +198,7 @@
                 if(!is_dir($path)) mkdir($path);
             }
 
-            $data = "<?php/*|" . json_encode($data) . "|*/?>";
+            $data = "<?php\r\n/*|" . json_encode($data) . "|*/\r\n?>";
             $write = fopen($path . $file, 'w') or die("can't open file ".$path.$file);
             fwrite($write, $data);
             fclose($write);