[ Index ]

PHP Cross Reference of phpBB-3.2.0-deutsch

title

Body

[close]

/download/ -> file.php (source)

   1  <?php
   2  /**
   3  *
   4  * This file is part of the phpBB Forum Software package.
   5  *
   6  * @copyright (c) phpBB Limited <https://www.phpbb.com>
   7  * @license GNU General Public License, version 2 (GPL-2.0)
   8  *
   9  * For full copyright and license information, please see
  10  * the docs/CREDITS.txt file.
  11  *
  12  */
  13  
  14  /**
  15  * @ignore
  16  */
  17  define('IN_PHPBB', true);
  18  $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
  19  $phpEx = substr(strrchr(__FILE__, '.'), 1);
  20  
  21  // Thank you sun.
  22  if (isset($_SERVER['CONTENT_TYPE']))
  23  {
  24      if ($_SERVER['CONTENT_TYPE'] === 'application/x-java-archive')
  25      {
  26          exit;
  27      }
  28  }
  29  else if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'Java') !== false)
  30  {
  31      exit;
  32  }
  33  
  34  if (isset($_GET['avatar']))
  35  {
  36      require($phpbb_root_path . 'includes/startup.' . $phpEx);
  37  
  38      require($phpbb_root_path . 'phpbb/class_loader.' . $phpEx);
  39      $phpbb_class_loader = new \phpbb\class_loader('phpbb\\', "{$phpbb_root_path}phpbb/", $phpEx);
  40      $phpbb_class_loader->register();
  41  
  42      $phpbb_config_php_file = new \phpbb\config_php_file($phpbb_root_path, $phpEx);
  43      extract($phpbb_config_php_file->get_all());
  44  
  45      if (!defined('PHPBB_ENVIRONMENT'))
  46      {
  47          @define('PHPBB_ENVIRONMENT', 'production');
  48      }
  49  
  50      if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type))
  51      {
  52          exit;
  53      }
  54  
  55      require($phpbb_root_path . 'includes/constants.' . $phpEx);
  56      require($phpbb_root_path . 'includes/functions.' . $phpEx);
  57      require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
  58      require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx);
  59  
  60      // Setup class loader first
  61      $phpbb_class_loader_ext = new \phpbb\class_loader('\\', "{$phpbb_root_path}ext/", $phpEx);
  62      $phpbb_class_loader_ext->register();
  63  
  64      // Set up container
  65      $phpbb_container_builder = new \phpbb\di\container_builder($phpbb_root_path, $phpEx);
  66      $phpbb_container = $phpbb_container_builder->with_config($phpbb_config_php_file)->get_container();
  67  
  68      $phpbb_class_loader->set_cache($phpbb_container->get('cache.driver'));
  69      $phpbb_class_loader_ext->set_cache($phpbb_container->get('cache.driver'));
  70  
  71      // set up caching
  72      /* @var $cache \phpbb\cache\service */
  73      $cache = $phpbb_container->get('cache');
  74  
  75      /* @var $phpbb_dispatcher \phpbb\event\dispatcher */
  76      $phpbb_dispatcher = $phpbb_container->get('dispatcher');
  77  
  78      /* @var $request \phpbb\request\request_interface */
  79      $request    = $phpbb_container->get('request');
  80  
  81      /* @var $db \phpbb\db\driver\driver_interface */
  82      $db            = $phpbb_container->get('dbal.conn');
  83  
  84      /* @var $phpbb_log \phpbb\log\log_interface */
  85      $phpbb_log    = $phpbb_container->get('log');
  86  
  87      unset($dbpasswd);
  88  
  89      /* @var $config \phpbb\config\config */
  90      $config = $phpbb_container->get('config');
  91  
  92      // load extensions
  93      /* @var $phpbb_extension_manager \phpbb\extension\manager */
  94      $phpbb_extension_manager = $phpbb_container->get('ext.manager');
  95  
  96      // worst-case default
  97      $browser = strtolower($request->header('User-Agent', 'msie 6.0'));
  98  
  99      /* @var $phpbb_avatar_manager \phpbb\avatar\manager */
 100      $phpbb_avatar_manager = $phpbb_container->get('avatar.manager');
 101  
 102      $filename = $request->variable('avatar', '');
 103      $avatar_group = false;
 104      $exit = false;
 105  
 106      if (isset($filename[0]) && $filename[0] === 'g')
 107      {
 108          $avatar_group = true;
 109          $filename = substr($filename, 1);
 110      }
 111  
 112      // '==' is not a bug - . as the first char is as bad as no dot at all
 113      if (strpos($filename, '.') == false)
 114      {
 115          send_status_line(403, 'Forbidden');
 116          $exit = true;
 117      }
 118  
 119      if (!$exit)
 120      {
 121          $ext        = substr(strrchr($filename, '.'), 1);
 122          $stamp        = (int) substr(stristr($filename, '_'), 1);
 123          $filename    = (int) $filename;
 124          $exit = set_modified_headers($stamp, $browser);
 125      }
 126      if (!$exit && !in_array($ext, array('png', 'gif', 'jpg', 'jpeg')))
 127      {
 128          // no way such an avatar could exist. They are not following the rules, stop the show.
 129          send_status_line(403, 'Forbidden');
 130          $exit = true;
 131      }
 132  
 133  
 134      if (!$exit)
 135      {
 136          if (!$filename)
 137          {
 138              // no way such an avatar could exist. They are not following the rules, stop the show.
 139              send_status_line(403, 'Forbidden');
 140          }
 141          else
 142          {
 143              send_avatar_to_browser(($avatar_group ? 'g' : '') . $filename . '.' . $ext, $browser);
 144          }
 145      }
 146      file_gc();
 147  }
 148  
 149  // implicit else: we are not in avatar mode
 150  include($phpbb_root_path . 'common.' . $phpEx);
 151  require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
 152  
 153  $attach_id = $request->variable('id', 0);
 154  $mode = $request->variable('mode', '');
 155  $thumbnail = $request->variable('t', false);
 156  
 157  // Start session management, do not update session page.
 158  $user->session_begin(false);
 159  $auth->acl($user->data);
 160  $user->setup('viewtopic');
 161  
 162  if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
 163  {
 164      send_status_line(404, 'Not Found');
 165      trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
 166  }
 167  
 168  if (!$attach_id)
 169  {
 170      send_status_line(404, 'Not Found');
 171      trigger_error('NO_ATTACHMENT_SELECTED');
 172  }
 173  
 174  $sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, poster_id, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime
 175      FROM ' . ATTACHMENTS_TABLE . "
 176      WHERE attach_id = $attach_id";
 177  $result = $db->sql_query($sql);
 178  $attachment = $db->sql_fetchrow($result);
 179  $db->sql_freeresult($result);
 180  
 181  if (!$attachment)
 182  {
 183      send_status_line(404, 'Not Found');
 184      trigger_error('ERROR_NO_ATTACHMENT');
 185  }
 186  else if (!download_allowed())
 187  {
 188      send_status_line(403, 'Forbidden');
 189      trigger_error($user->lang['LINKAGE_FORBIDDEN']);
 190  }
 191  else
 192  {
 193      $attachment['physical_filename'] = utf8_basename($attachment['physical_filename']);
 194  
 195      if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach'])
 196      {
 197          send_status_line(404, 'Not Found');
 198          trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
 199      }
 200  
 201      if ($attachment['is_orphan'])
 202      {
 203          // We allow admins having attachment permissions to see orphan attachments...
 204          $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;
 205  
 206          if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))
 207          {
 208              send_status_line(404, 'Not Found');
 209              trigger_error('ERROR_NO_ATTACHMENT');
 210          }
 211  
 212          // Obtain all extensions...
 213          $extensions = $cache->obtain_attach_extensions(true);
 214      }
 215      else
 216      {
 217          if (!$attachment['in_message'])
 218          {
 219              phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']);
 220  
 221              $sql = 'SELECT forum_id, post_visibility
 222                  FROM ' . POSTS_TABLE . '
 223                  WHERE post_id = ' . (int) $attachment['post_msg_id'];
 224              $result = $db->sql_query($sql);
 225              $post_row = $db->sql_fetchrow($result);
 226              $db->sql_freeresult($result);
 227  
 228              if (!$post_row || ($post_row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $post_row['forum_id'])))
 229              {
 230                  // Attachment of a soft deleted post and the user is not allowed to see the post
 231                  send_status_line(404, 'Not Found');
 232                  trigger_error('ERROR_NO_ATTACHMENT');
 233              }
 234          }
 235          else
 236          {
 237              // Attachment is in a private message.
 238              $post_row = array('forum_id' => false);
 239              phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);
 240          }
 241  
 242          $extensions = array();
 243          if (!extension_allowed($post_row['forum_id'], $attachment['extension'], $extensions))
 244          {
 245              send_status_line(403, 'Forbidden');
 246              trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
 247          }
 248      }
 249  
 250      $download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
 251      $display_cat = $extensions[$attachment['extension']]['display_cat'];
 252  
 253      if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))
 254      {
 255          $display_cat = ATTACHMENT_CATEGORY_NONE;
 256      }
 257  
 258      if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))
 259      {
 260          $display_cat = ATTACHMENT_CATEGORY_NONE;
 261      }
 262  
 263      /**
 264      * Event to modify data before sending file to browser
 265      *
 266      * @event core.download_file_send_to_browser_before
 267      * @var    int        attach_id            The attachment ID
 268      * @var    array    attachment            Array with attachment data
 269      * @var    int        display_cat            Attachment category
 270      * @var    int        download_mode        File extension specific download mode
 271      * @var    array    extensions            Array with file extensions data
 272      * @var    string    mode                Download mode
 273      * @var    bool    thumbnail            Flag indicating if the file is a thumbnail
 274      * @since 3.1.6-RC1
 275      * @change 3.1.7-RC1    Fixing wrong name of a variable (replacing "extension" by "extensions")
 276      */
 277      $vars = array(
 278          'attach_id',
 279          'attachment',
 280          'display_cat',
 281          'download_mode',
 282          'extensions',
 283          'mode',
 284          'thumbnail',
 285      );
 286      extract($phpbb_dispatcher->trigger_event('core.download_file_send_to_browser_before', compact($vars)));
 287  
 288      if ($thumbnail)
 289      {
 290          $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
 291      }
 292      else if ($display_cat == ATTACHMENT_CATEGORY_NONE && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize']))
 293      {
 294          // Update download count
 295          phpbb_increment_downloads($db, $attachment['attach_id']);
 296      }
 297  
 298      if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && (strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7))
 299      {
 300          wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);
 301          file_gc();
 302      }
 303      else
 304      {
 305          // Determine the 'presenting'-method
 306          if ($download_mode == PHYSICAL_LINK)
 307          {
 308              // This presenting method should no longer be used
 309              if (!@is_dir($phpbb_root_path . $config['upload_path']))
 310              {
 311                  send_status_line(500, 'Internal Server Error');
 312                  trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
 313              }
 314  
 315              redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);
 316              file_gc();
 317          }
 318          else
 319          {
 320              send_file_to_browser($attachment, $config['upload_path'], $display_cat);
 321              file_gc();
 322          }
 323      }
 324  }


Generated: Sun Feb 19 19:47:08 2017 Cross-referenced by PHPXref 0.7.1