[ Index ]

PHP Cross Reference of phpBB-3.2.2-deutsch

title

Body

[close]

/download/ -> file.php (source)

   1  <?php
   2  /**
   3  *
   4  * This file is part of the phpBB Forum Software package.
   5  *
   6  * @copyright (c) phpBB Limited <https://www.phpbb.com>
   7  * @license GNU General Public License, version 2 (GPL-2.0)
   8  *
   9  * For full copyright and license information, please see
  10  * the docs/CREDITS.txt file.
  11  *
  12  */
  13  
  14  /**
  15  * @ignore
  16  */
  17  define('IN_PHPBB', true);
  18  $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
  19  $phpEx = substr(strrchr(__FILE__, '.'), 1);
  20  
  21  // Thank you sun.
  22  if (isset($_SERVER['CONTENT_TYPE']))
  23  {
  24      if ($_SERVER['CONTENT_TYPE'] === 'application/x-java-archive')
  25      {
  26          exit;
  27      }
  28  }
  29  else if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'Java') !== false)
  30  {
  31      exit;
  32  }
  33  
  34  if (isset($_GET['avatar']))
  35  {
  36      require($phpbb_root_path . 'includes/startup.' . $phpEx);
  37  
  38      require($phpbb_root_path . 'phpbb/class_loader.' . $phpEx);
  39      $phpbb_class_loader = new \phpbb\class_loader('phpbb\\', "{$phpbb_root_path}phpbb/", $phpEx);
  40      $phpbb_class_loader->register();
  41  
  42      $phpbb_config_php_file = new \phpbb\config_php_file($phpbb_root_path, $phpEx);
  43      extract($phpbb_config_php_file->get_all());
  44  
  45      if (!defined('PHPBB_ENVIRONMENT'))
  46      {
  47          @define('PHPBB_ENVIRONMENT', 'production');
  48      }
  49  
  50      if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type))
  51      {
  52          exit;
  53      }
  54  
  55      require($phpbb_root_path . 'includes/constants.' . $phpEx);
  56      require($phpbb_root_path . 'includes/functions.' . $phpEx);
  57      require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
  58      require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx);
  59  
  60      // Setup class loader first
  61      $phpbb_class_loader_ext = new \phpbb\class_loader('\\', "{$phpbb_root_path}ext/", $phpEx);
  62      $phpbb_class_loader_ext->register();
  63  
  64      // Set up container
  65      $phpbb_container_builder = new \phpbb\di\container_builder($phpbb_root_path, $phpEx);
  66      $phpbb_container = $phpbb_container_builder->with_config($phpbb_config_php_file)->get_container();
  67  
  68      $phpbb_class_loader->set_cache($phpbb_container->get('cache.driver'));
  69      $phpbb_class_loader_ext->set_cache($phpbb_container->get('cache.driver'));
  70  
  71      // set up caching
  72      /* @var $cache \phpbb\cache\service */
  73      $cache = $phpbb_container->get('cache');
  74  
  75      /* @var $phpbb_dispatcher \phpbb\event\dispatcher */
  76      $phpbb_dispatcher = $phpbb_container->get('dispatcher');
  77  
  78      /* @var $request \phpbb\request\request_interface */
  79      $request    = $phpbb_container->get('request');
  80  
  81      /* @var $db \phpbb\db\driver\driver_interface */
  82      $db            = $phpbb_container->get('dbal.conn');
  83  
  84      /* @var $phpbb_log \phpbb\log\log_interface */
  85      $phpbb_log    = $phpbb_container->get('log');
  86  
  87      unset($dbpasswd);
  88  
  89      /* @var $config \phpbb\config\config */
  90      $config = $phpbb_container->get('config');
  91  
  92      // load extensions
  93      /* @var $phpbb_extension_manager \phpbb\extension\manager */
  94      $phpbb_extension_manager = $phpbb_container->get('ext.manager');
  95  
  96      // worst-case default
  97      $browser = strtolower($request->header('User-Agent', 'msie 6.0'));
  98  
  99      /* @var $phpbb_avatar_manager \phpbb\avatar\manager */
 100      $phpbb_avatar_manager = $phpbb_container->get('avatar.manager');
 101  
 102      $filename = $request->variable('avatar', '');
 103      $avatar_group = false;
 104      $exit = false;
 105  
 106      if (isset($filename[0]) && $filename[0] === 'g')
 107      {
 108          $avatar_group = true;
 109          $filename = substr($filename, 1);
 110      }
 111  
 112      // '==' is not a bug - . as the first char is as bad as no dot at all
 113      if (strpos($filename, '.') == false)
 114      {
 115          send_status_line(403, 'Forbidden');
 116          $exit = true;
 117      }
 118  
 119      if (!$exit)
 120      {
 121          $ext        = substr(strrchr($filename, '.'), 1);
 122          $stamp        = (int) substr(stristr($filename, '_'), 1);
 123          $filename    = (int) $filename;
 124          $exit = set_modified_headers($stamp, $browser);
 125      }
 126      if (!$exit && !in_array($ext, array('png', 'gif', 'jpg', 'jpeg')))
 127      {
 128          // no way such an avatar could exist. They are not following the rules, stop the show.
 129          send_status_line(403, 'Forbidden');
 130          $exit = true;
 131      }
 132  
 133  
 134      if (!$exit)
 135      {
 136          if (!$filename)
 137          {
 138              // no way such an avatar could exist. They are not following the rules, stop the show.
 139              send_status_line(403, 'Forbidden');
 140          }
 141          else
 142          {
 143              send_avatar_to_browser(($avatar_group ? 'g' : '') . $filename . '.' . $ext, $browser);
 144          }
 145      }
 146      file_gc();
 147  }
 148  
 149  // implicit else: we are not in avatar mode
 150  include($phpbb_root_path . 'common.' . $phpEx);
 151  require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
 152  
 153  $attach_id = $request->variable('id', 0);
 154  $mode = $request->variable('mode', '');
 155  $thumbnail = $request->variable('t', false);
 156  
 157  // Start session management, do not update session page.
 158  $user->session_begin(false);
 159  $auth->acl($user->data);
 160  $user->setup('viewtopic');
 161  
 162  $phpbb_content_visibility = $phpbb_container->get('content.visibility');
 163  
 164  if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
 165  {
 166      send_status_line(404, 'Not Found');
 167      trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
 168  }
 169  
 170  if (!$attach_id)
 171  {
 172      send_status_line(404, 'Not Found');
 173      trigger_error('NO_ATTACHMENT_SELECTED');
 174  }
 175  
 176  $sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, poster_id, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime
 177      FROM ' . ATTACHMENTS_TABLE . "
 178      WHERE attach_id = $attach_id";
 179  $result = $db->sql_query($sql);
 180  $attachment = $db->sql_fetchrow($result);
 181  $db->sql_freeresult($result);
 182  
 183  if (!$attachment)
 184  {
 185      send_status_line(404, 'Not Found');
 186      trigger_error('ERROR_NO_ATTACHMENT');
 187  }
 188  else if (!download_allowed())
 189  {
 190      send_status_line(403, 'Forbidden');
 191      trigger_error($user->lang['LINKAGE_FORBIDDEN']);
 192  }
 193  else
 194  {
 195      $attachment['physical_filename'] = utf8_basename($attachment['physical_filename']);
 196  
 197      if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach'])
 198      {
 199          send_status_line(404, 'Not Found');
 200          trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
 201      }
 202  
 203      if ($attachment['is_orphan'])
 204      {
 205          // We allow admins having attachment permissions to see orphan attachments...
 206          $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;
 207  
 208          if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))
 209          {
 210              send_status_line(404, 'Not Found');
 211              trigger_error('ERROR_NO_ATTACHMENT');
 212          }
 213  
 214          // Obtain all extensions...
 215          $extensions = $cache->obtain_attach_extensions(true);
 216      }
 217      else
 218      {
 219          if (!$attachment['in_message'])
 220          {
 221              phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']);
 222  
 223              $sql = 'SELECT forum_id, post_visibility
 224                  FROM ' . POSTS_TABLE . '
 225                  WHERE post_id = ' . (int) $attachment['post_msg_id'];
 226              $result = $db->sql_query($sql);
 227              $post_row = $db->sql_fetchrow($result);
 228              $db->sql_freeresult($result);
 229  
 230              if (!$post_row || !$phpbb_content_visibility->is_visible('post', $post_row['forum_id'], $post_row))
 231              {
 232                  // Attachment of a soft deleted post and the user is not allowed to see the post
 233                  send_status_line(404, 'Not Found');
 234                  trigger_error('ERROR_NO_ATTACHMENT');
 235              }
 236          }
 237          else
 238          {
 239              // Attachment is in a private message.
 240              $post_row = array('forum_id' => false);
 241              phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);
 242          }
 243  
 244          $extensions = array();
 245          if (!extension_allowed($post_row['forum_id'], $attachment['extension'], $extensions))
 246          {
 247              send_status_line(403, 'Forbidden');
 248              trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
 249          }
 250      }
 251  
 252      $download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
 253      $display_cat = $extensions[$attachment['extension']]['display_cat'];
 254  
 255      if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))
 256      {
 257          $display_cat = ATTACHMENT_CATEGORY_NONE;
 258      }
 259  
 260      if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))
 261      {
 262          $display_cat = ATTACHMENT_CATEGORY_NONE;
 263      }
 264  
 265      /**
 266      * Event to modify data before sending file to browser
 267      *
 268      * @event core.download_file_send_to_browser_before
 269      * @var    int        attach_id            The attachment ID
 270      * @var    array    attachment            Array with attachment data
 271      * @var    int        display_cat            Attachment category
 272      * @var    int        download_mode        File extension specific download mode
 273      * @var    array    extensions            Array with file extensions data
 274      * @var    string    mode                Download mode
 275      * @var    bool    thumbnail            Flag indicating if the file is a thumbnail
 276      * @since 3.1.6-RC1
 277      * @changed 3.1.7-RC1    Fixing wrong name of a variable (replacing "extension" by "extensions")
 278      */
 279      $vars = array(
 280          'attach_id',
 281          'attachment',
 282          'display_cat',
 283          'download_mode',
 284          'extensions',
 285          'mode',
 286          'thumbnail',
 287      );
 288      extract($phpbb_dispatcher->trigger_event('core.download_file_send_to_browser_before', compact($vars)));
 289  
 290      if ($thumbnail)
 291      {
 292          $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
 293      }
 294      else if ($display_cat == ATTACHMENT_CATEGORY_NONE && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize']))
 295      {
 296          // Update download count
 297          phpbb_increment_downloads($db, $attachment['attach_id']);
 298      }
 299  
 300      if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && (strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7))
 301      {
 302          wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);
 303          file_gc();
 304      }
 305      else
 306      {
 307          // Determine the 'presenting'-method
 308          if ($download_mode == PHYSICAL_LINK)
 309          {
 310              // This presenting method should no longer be used
 311              if (!@is_dir($phpbb_root_path . $config['upload_path']))
 312              {
 313                  send_status_line(500, 'Internal Server Error');
 314                  trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
 315              }
 316  
 317              redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);
 318              file_gc();
 319          }
 320          else
 321          {
 322              send_file_to_browser($attachment, $config['upload_path'], $display_cat);
 323              file_gc();
 324          }
 325      }
 326  }


Generated: Thu Jan 11 23:14:31 2018 Cross-referenced by PHPXref 0.7.1