diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2006-09-13 16:08:36 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2006-09-13 16:08:36 +0000 |
| commit | b76222cb6e9ed69ee8ed0c09f0196eaaafd33fad (patch) | |
| tree | 59f81d4c51e82ef1df7994444681731d9920b0c6 /phpBB/download.php | |
| parent | 35c5fe21cb45e4ec69109745b5e8ca6c529f57ac (diff) | |
| download | forums-b76222cb6e9ed69ee8ed0c09f0196eaaafd33fad.tar forums-b76222cb6e9ed69ee8ed0c09f0196eaaafd33fad.tar.gz forums-b76222cb6e9ed69ee8ed0c09f0196eaaafd33fad.tar.bz2 forums-b76222cb6e9ed69ee8ed0c09f0196eaaafd33fad.tar.xz forums-b76222cb6e9ed69ee8ed0c09f0196eaaafd33fad.zip | |
- fixed some bugs
- changed attachment handling a bit
- tried to remove target tags out of the code
- do not add session ids to urls for bots as well as not creating a new session on each page view for them
I bet i introduced some bugs too. ;)
git-svn-id: file:///svn/phpbb/trunk@6364 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/download.php')
| -rw-r--r-- | phpBB/download.php | 112 |
1 files changed, 66 insertions, 46 deletions
diff --git a/phpBB/download.php b/phpBB/download.php index 04ead2c6ef..ccc23b94b8 100644 --- a/phpBB/download.php +++ b/phpBB/download.php @@ -34,7 +34,7 @@ if (!$config['allow_attachments'] && !$config['allow_pm_attach']) trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); } -$sql = 'SELECT attach_id, in_message, post_msg_id, extension +$sql = 'SELECT attach_id, in_message, post_msg_id, extension, is_orphan, poster_id FROM ' . ATTACHMENTS_TABLE . " WHERE attach_id = $download_id"; $result = $db->sql_query_limit($sql, 1); @@ -52,59 +52,76 @@ if ((!$attachment['in_message'] && !$config['allow_attachments']) || ($attachmen } $row = array(); -if (!$attachment['in_message']) + +if ($attachment['is_orphan']) { - // - $sql = 'SELECT p.forum_id, f.forum_password, f.parent_id - FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f - WHERE p.post_id = ' . $attachment['post_msg_id'] . ' - AND p.forum_id = f.forum_id'; - $result = $db->sql_query_limit($sql, 1); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - // Global announcement? - if (!$row) + // We allow admins having attachment permissions to see orphan attachments... + $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false; + + if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download'))) { - $forum_id = request_var('f', 0); + trigger_error('ERROR_NO_ATTACHMENT'); + } - $sql = 'SELECT forum_id, forum_password, parent_id - FROM ' . FORUMS_TABLE . ' - WHERE forum_id = ' . $forum_id; - $result = $db->sql_query($sql); + $extensions = array(); + $cache->obtain_attach_extensions($extensions); +} +else +{ + if (!$attachment['in_message']) + { + // + $sql = 'SELECT p.forum_id, f.forum_password, f.parent_id + FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f + WHERE p.post_id = ' . $attachment['post_msg_id'] . ' + AND p.forum_id = f.forum_id'; + $result = $db->sql_query_limit($sql, 1); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); - } - if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) - { - if ($row['forum_password']) + // Global announcement? + if (!$row) + { + $forum_id = request_var('f', 0); + + $sql = 'SELECT forum_id, forum_password, parent_id + FROM ' . FORUMS_TABLE . ' + WHERE forum_id = ' . $forum_id; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + } + + if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) + { + if ($row['forum_password']) + { + // Do something else ... ? + login_forum_box($row); + } + } + else { - // Do something else ... ? - login_forum_box($row); + trigger_error('SORRY_AUTH_VIEW_ATTACH'); } } else { - trigger_error('SORRY_AUTH_VIEW_ATTACH'); + $row['forum_id'] = 0; + if (!$auth->acl_get('u_pm_download')) + { + trigger_error('SORRY_AUTH_VIEW_ATTACH'); + } } -} -else -{ - $row['forum_id'] = 0; - if (!$auth->acl_get('u_pm_download')) + + // disallowed ? + $extensions = array(); + if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions)) { - trigger_error('SORRY_AUTH_VIEW_ATTACH'); + trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension'])); } } -// disallowed ? -$extensions = array(); -if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions)) -{ - trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension'])); -} - if (!download_allowed()) { trigger_error($user->lang['LINKAGE_FORBIDDEN']); @@ -113,7 +130,7 @@ if (!download_allowed()) $download_mode = (int) $extensions[$attachment['extension']]['download_mode']; // Fetching filename here to prevent sniffing of filename -$sql = 'SELECT attach_id, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype +$sql = 'SELECT attach_id, is_orphan, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype FROM ' . ATTACHMENTS_TABLE . " WHERE attach_id = $download_id"; $result = $db->sql_query_limit($sql, 1); @@ -125,7 +142,6 @@ if (!$attachment) trigger_error('ERROR_NO_ATTACHMENT'); } - $attachment['physical_filename'] = basename($attachment['physical_filename']); $display_cat = $extensions[$attachment['extension']]['display_cat']; @@ -133,7 +149,7 @@ if ($thumbnail) { $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename']; } -else if ($display_cat == ATTACHMENT_CATEGORY_NONE || $display_cat == ATTACHMENT_CATEGORY_IMAGE) +else if (($display_cat == ATTACHMENT_CATEGORY_NONE || $display_cat == ATTACHMENT_CATEGORY_IMAGE) && !$attachment['is_orphan']) { // Update download count $sql = 'UPDATE ' . ATTACHMENTS_TABLE . ' @@ -176,7 +192,7 @@ function send_file_to_browser($attachment, $upload_dir, $category) // Correct the mime type - we force application/octetstream for all files, except images // Please do not change this, it is a security precaution - if ($category == ATTACHMENT_CATEGORY_NONE && strpos($attachment['mimetype'], 'image') === false) + if (strpos($attachment['mimetype'], 'image') !== 0) { $attachment['mimetype'] = (strpos(strtolower($user->browser), 'msie') !== false || strpos(strtolower($user->browser), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream'; } @@ -206,13 +222,18 @@ function send_file_to_browser($attachment, $upload_dir, $category) // Now the tricky part... let's dance header('Pragma: public'); - // Try X-Sendfile since it is much more server friendly. + // Try X-Sendfile since it is much more server friendly - only works if the path is *not* outside of the root path... // lighttpd has core support for it. An apache2 module is available at http://celebnamer.celebworld.ws/stuff/mod_xsendfile/ - header('X-Sendfile: ' . $filename); + + // Not really ideal, but should work fine... + if (strpos($upload_dir, '/') !== 0 && strpos($upload_dir, '../') === false) + { + header('X-Sendfile: ' . $filename); + } // Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer. header('Content-Type: ' . $attachment['mimetype'] . '; name="' . $attachment['real_filename'] . '"'); - header('Content-Disposition: attachment; filename="' . $attachment['real_filename'] . '"'); + header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; filename="' . $attachment['real_filename'] . '"'); if ($size) { @@ -221,7 +242,6 @@ function send_file_to_browser($attachment, $upload_dir, $category) // Might not be ideal to store the contents, but file_get_contents is binary-safe as well as the recommended method echo @file_get_contents($filename); - unset($contents); flush(); exit; |