Merge remote-tracking branch 'upstream/prep-release-3.1.11'

author: Maat <maat-pub@mageia.biz> 2020-05-08 18:29:30 +0200
committer: Maat <maat-pub@mageia.biz> 2020-05-08 21:36:04 +0200
commit: 36bc1870f21fac04736a1049c1d5b8e127d729f4 (patch)
tree: 9d102331eeaf1ef3cd23e656320d7c08e65757ed /phpBB/download/file.php
parent: 8875d385d0579b451dac4d9bda465172b4f69ee0 (diff)
parent: 149375253685b3a38996f63015a74b7a0f53aa14 (diff)
download: forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.gz
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.bz2
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.xz
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.zip
1 files changed, 137 insertions, 558 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php
index cf8aaa03e8..e60ffad6b0 100644
--- a/phpBB/download/file.php
+++ b/phpBB/download/file.php
@@ -1,10 +1,13 @@
 <?php
 /**
 *
-* @package phpBB3
-* @version $Id$
-* @copyright (c) 2005 phpBB Group
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
@@ -15,7 +18,6 @@ define('IN_PHPBB', true);
 $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);
 
-
 // Thank you sun.
 if (isset($_SERVER['CONTENT_TYPE']))
 {
@@ -32,33 +34,61 @@ else if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'
 if (isset($_GET['avatar']))
 {
 	require($phpbb_root_path . 'includes/startup.' . $phpEx);
-	require($phpbb_root_path . 'config.' . $phpEx);
+
+	require($phpbb_root_path . 'phpbb/class_loader.' . $phpEx);
+	$phpbb_class_loader = new \phpbb\class_loader('phpbb\\', "{$phpbb_root_path}phpbb/", $phpEx);
+	$phpbb_class_loader->register();
+
+	$phpbb_config_php_file = new \phpbb\config_php_file($phpbb_root_path, $phpEx);
+	extract($phpbb_config_php_file->get_all());
 
 	if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type))
 	{
 		exit;
 	}
 
-	require($phpbb_root_path . 'includes/acm/acm_' . $acm_type . '.' . $phpEx);
-	require($phpbb_root_path . 'includes/cache.' . $phpEx);
-	require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
 	require($phpbb_root_path . 'includes/constants.' . $phpEx);
 	require($phpbb_root_path . 'includes/functions.' . $phpEx);
+	require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
+	require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx);
 
-	$db = new $sql_db();
-	$cache = new cache();
+	// Setup class loader first
+	$phpbb_class_loader_ext = new \phpbb\class_loader('\\', "{$phpbb_root_path}ext/", $phpEx);
+	$phpbb_class_loader_ext->register();
+
+	phpbb_load_extensions_autoloaders($phpbb_root_path);
+
+	// Set up container
+	$phpbb_container_builder = new \phpbb\di\container_builder($phpbb_config_php_file, $phpbb_root_path, $phpEx);
+	$phpbb_container = $phpbb_container_builder->get_container();
+
+	$phpbb_class_loader->set_cache($phpbb_container->get('cache.driver'));
+	$phpbb_class_loader_ext->set_cache($phpbb_container->get('cache.driver'));
+
+	// set up caching
+	$cache = $phpbb_container->get('cache');
+
+	$phpbb_dispatcher = $phpbb_container->get('dispatcher');
+	$request	= $phpbb_container->get('request');
+	$db			= $phpbb_container->get('dbal.conn');
+	$phpbb_log	= $phpbb_container->get('log');
 
-	// Connect to DB
-	if (!@$db->sql_connect($dbhost, $dbuser, $dbpasswd, $dbname, $dbport, false, false))
-	{
-		exit;
-	}
 	unset($dbpasswd);
 
+	request_var('', 0, false, false, $request);
+
+	$config = $phpbb_container->get('config');
+	set_config(null, null, null, $config);
+	set_config_count(null, null, null, $config);
+
+	// load extensions
+	$phpbb_extension_manager = $phpbb_container->get('ext.manager');
+
 	// worst-case default
-	$browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0';
+	$browser = strtolower($request->header('User-Agent', 'msie 6.0'));
+
+	$phpbb_avatar_manager = $phpbb_container->get('avatar.manager');
 
-	$config = $cache->obtain_config();
 	$filename = request_var('avatar', '');
 	$avatar_group = false;
 	$exit = false;
@@ -108,8 +138,9 @@ if (isset($_GET['avatar']))
 
 // implicit else: we are not in avatar mode
 include($phpbb_root_path . 'common.' . $phpEx);
+require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
 
-$download_id = request_var('id', 0);
+$attach_id = request_var('id', 0);
 $mode = request_var('mode', '');
 $thumbnail = request_var('t', false);
 
@@ -118,22 +149,22 @@ $user->session_begin(false);
 $auth->acl($user->data);
 $user->setup('viewtopic');
 
-if (!$download_id)
+if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
 {
 	send_status_line(404, 'Not Found');
-	trigger_error('NO_ATTACHMENT_SELECTED');
+	trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
 }
 
-if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
+if (!$attach_id)
 {
 	send_status_line(404, 'Not Found');
-	trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
+	trigger_error('NO_ATTACHMENT_SELECTED');
 }
 
-$sql = 'SELECT attach_id, in_message, post_msg_id, extension, is_orphan, poster_id, filetime
+$sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, poster_id, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime
 	FROM ' . ATTACHMENTS_TABLE . "
-	WHERE attach_id = $download_id";
-$result = $db->sql_query_limit($sql, 1);
+	WHERE attach_id = $attach_id";
+$result = $db->sql_query($sql);
 $attachment = $db->sql_fetchrow($result);
 $db->sql_freeresult($result);
 
@@ -142,594 +173,142 @@ if (!$attachment)
 	send_status_line(404, 'Not Found');
 	trigger_error('ERROR_NO_ATTACHMENT');
 }
-
-if ((!$attachment['in_message'] && !$config['allow_attachments']) || ($attachment['in_message'] && !$config['allow_pm_attach']))
+else if (!download_allowed())
 {
-	send_status_line(404, 'Not Found');
-	trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
+	send_status_line(403, 'Forbidden');
+	trigger_error($user->lang['LINKAGE_FORBIDDEN']);
 }
-
-$row = array();
-
-if ($attachment['is_orphan'])
+else
 {
-	// We allow admins having attachment permissions to see orphan attachments...
-	$own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;
+	$attachment['physical_filename'] = utf8_basename($attachment['physical_filename']);
 
-	if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))
+	if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach'])
 	{
 		send_status_line(404, 'Not Found');
-		trigger_error('ERROR_NO_ATTACHMENT');
+		trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
 	}
 
-	// Obtain all extensions...
-	$extensions = $cache->obtain_attach_extensions(true);
-}
-else
-{
-	if (!$attachment['in_message'])
-	{
-		//
-		$sql = 'SELECT p.forum_id, f.forum_name, f.forum_password, f.parent_id
-			FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f
-			WHERE p.post_id = ' . $attachment['post_msg_id'] . '
-				AND p.forum_id = f.forum_id';
-		$result = $db->sql_query_limit($sql, 1);
-		$row = $db->sql_fetchrow($result);
-		$db->sql_freeresult($result);
-
-		// Global announcement?
-		$f_download = (!$row) ? $auth->acl_getf_global('f_download') : $auth->acl_get('f_download', $row['forum_id']);
-
-		if ($auth->acl_get('u_download') && $f_download)
-		{
-			if ($row && $row['forum_password'])
-			{
-				// Do something else ... ?
-				login_forum_box($row);
-			}
-		}
-		else
-		{
-			send_status_line(403, 'Forbidden');
-			trigger_error('SORRY_AUTH_VIEW_ATTACH');
-		}
-	}
-	else
+	if ($attachment['is_orphan'])
 	{
-		$row['forum_id'] = false;
-		if (!$auth->acl_get('u_pm_download'))
-		{
-			send_status_line(403, 'Forbidden');
-			trigger_error('SORRY_AUTH_VIEW_ATTACH');
-		}
-
-		// Check if the attachment is within the users scope...
-		$sql = 'SELECT user_id, author_id
-			FROM ' . PRIVMSGS_TO_TABLE . '
-			WHERE msg_id = ' . $attachment['post_msg_id'];
-		$result = $db->sql_query($sql);
+		// We allow admins having attachment permissions to see orphan attachments...
+		$own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;
 
-		$allowed = false;
-		while ($user_row = $db->sql_fetchrow($result))
+		if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))
 		{
-			if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id'])
-			{
-				$allowed = true;
-				break;
-			}
-		}
-		$db->sql_freeresult($result);
-
-		if (!$allowed)
-		{
-			send_status_line(403, 'Forbidden');
+			send_status_line(404, 'Not Found');
 			trigger_error('ERROR_NO_ATTACHMENT');
 		}
-	}
-
-	// disallowed?
-	$extensions = array();
-	if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))
-	{
-		send_status_line(404, 'Forbidden');
-		trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
-	}
-}
-
-if (!download_allowed())
-{
-	send_status_line(403, 'Forbidden');
-	trigger_error($user->lang['LINKAGE_FORBIDDEN']);
-}
-
-$download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
-
-// Fetching filename here to prevent sniffing of filename
-$sql = 'SELECT attach_id, is_orphan, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype, filetime
-	FROM ' . ATTACHMENTS_TABLE . "
-	WHERE attach_id = $download_id";
-$result = $db->sql_query_limit($sql, 1);
-$attachment = $db->sql_fetchrow($result);
-$db->sql_freeresult($result);
-
-if (!$attachment)
-{
-	send_status_line(404, 'Not Found');
-	trigger_error('ERROR_NO_ATTACHMENT');
-}
-
-$attachment['physical_filename'] = utf8_basename($attachment['physical_filename']);
-$display_cat = $extensions[$attachment['extension']]['display_cat'];
-
-if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))
-{
-	$display_cat = ATTACHMENT_CATEGORY_NONE;
-}
-
-if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))
-{
-	$display_cat = ATTACHMENT_CATEGORY_NONE;
-}
-
-if ($thumbnail)
-{
-	$attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
-}
-else if (($display_cat == ATTACHMENT_CATEGORY_NONE/* || $display_cat == ATTACHMENT_CATEGORY_IMAGE*/) && !$attachment['is_orphan'])
-{
-	// Update download count
-	$sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
-		SET download_count = download_count + 1
-		WHERE attach_id = ' . $attachment['attach_id'];
-	$db->sql_query($sql);
-}
-
-if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && (strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7))
-{
-	wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);
-	file_gc();
-}
-else
-{
-	// Determine the 'presenting'-method
-	if ($download_mode == PHYSICAL_LINK)
-	{
-		// This presenting method should no longer be used
-		if (!@is_dir($phpbb_root_path . $config['upload_path']))
-		{
-			send_status_line(500, 'Internal Server Error');
-			trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
-		}
 
-		redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);
-		file_gc();
+		// Obtain all extensions...
+		$extensions = $cache->obtain_attach_extensions(true);
 	}
 	else
 	{
-		send_file_to_browser($attachment, $config['upload_path'], $display_cat);
-		file_gc();
-	}
-}
-
-
-/**
-* A simplified function to deliver avatars
-* The argument needs to be checked before calling this function.
-*/
-function send_avatar_to_browser($file, $browser)
-{
-	global $config, $phpbb_root_path;
-
-	$prefix = $config['avatar_salt'] . '_';
-	$image_dir = $config['avatar_path'];
-
-	// Adjust image_dir path (no trailing slash)
-	if (substr($image_dir, -1, 1) == '/' || substr($image_dir, -1, 1) == '\\')
-	{
-		$image_dir = substr($image_dir, 0, -1) . '/';
-	}
-	$image_dir = str_replace(array('../', '..\\', './', '.\\'), '', $image_dir);
-
-	if ($image_dir && ($image_dir[0] == '/' || $image_dir[0] == '\\'))
-	{
-		$image_dir = '';
-	}
-	$file_path = $phpbb_root_path . $image_dir . '/' . $prefix . $file;
-
-	if ((@file_exists($file_path) && @is_readable($file_path)) && !headers_sent())
-	{
-		header('Pragma: public');
-
-		$image_data = @getimagesize($file_path);
-		header('Content-Type: ' . image_type_to_mime_type($image_data[2]));
-			
-		if ((strpos(strtolower($browser), 'msie') !== false) && !phpbb_is_greater_ie_version($browser, 7))
+		if (!$attachment['in_message'])
 		{
-			header('Content-Disposition: attachment; ' . header_filename($file));
+			phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']);
 
-			if (strpos(strtolower($browser), 'msie 6.0') !== false)
-			{
-				header('Expires: -1');
-			}
-			else
+			$sql = 'SELECT forum_id, post_visibility
+				FROM ' . POSTS_TABLE . '
+				WHERE post_id = ' . (int) $attachment['post_msg_id'];
+			$result = $db->sql_query($sql);
+			$post_row = $db->sql_fetchrow($result);
+			$db->sql_freeresult($result);
+
+			if (!$post_row || ($post_row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $post_row['forum_id'])))
 			{
-				header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
+				// Attachment of a soft deleted post and the user is not allowed to see the post
+				send_status_line(404, 'Not Found');
+				trigger_error('ERROR_NO_ATTACHMENT');
 			}
 		}
 		else
 		{
-			header('Content-Disposition: inline; ' . header_filename($file));
-			header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
-		}
-
-		$size = @filesize($file_path);
-		if ($size)
-		{
-			header("Content-Length: $size");
+			// Attachment is in a private message.
+			$post_row = array('forum_id' => false);
+			phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);
 		}
 
-		if (@readfile($file_path) == false)
+		$extensions = array();
+		if (!extension_allowed($post_row['forum_id'], $attachment['extension'], $extensions))
 		{
-			$fp = @fopen($file_path, 'rb');
-
-			if ($fp !== false)
-			{
-				while (!feof($fp))
-				{
-					echo fread($fp, 8192);
-				}
-				fclose($fp);
-			}
+			send_status_line(403, 'Forbidden');
+			trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
 		}
-
-		flush();
-	}
-	else
-	{
-		send_status_line(404, 'Not Found');
 	}
-}
 
-/**
-* Wraps an url into a simple html page. Used to display attachments in IE.
-* this is a workaround for now; might be moved to template system later
-* direct any complaints to 1 Microsoft Way, Redmond
-*/
-function wrap_img_in_html($src, $title)
-{
-	echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-Strict.dtd">';
-	echo '<html>';
-	echo '<head>';
-	echo '<meta http-equiv="content-type" content="text/html; charset=UTF-8" />';
-	echo '<title>' . $title . '</title>';
-	echo '</head>';
-	echo '<body>';
-	echo '<div>';
-	echo '<img src="' . $src . '" alt="' . $title . '" />';
-	echo '</div>';
-	echo '</body>';
-	echo '</html>';
-}
+	$download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
+	$display_cat = $extensions[$attachment['extension']]['display_cat'];
 
-/**
-* Send file to browser
-*/
-function send_file_to_browser($attachment, $upload_dir, $category)
-{
-	global $user, $db, $config, $phpbb_root_path;
-
-	$filename = $phpbb_root_path . $upload_dir . '/' . $attachment['physical_filename'];
-
-	if (!@file_exists($filename))
-	{
-		send_status_line(404, 'Not Found');
-		trigger_error('ERROR_NO_ATTACHMENT');
-	}
-
-	// Correct the mime type - we force application/octetstream for all files, except images
-	// Please do not change this, it is a security precaution
-	if ($category != ATTACHMENT_CATEGORY_IMAGE || strpos($attachment['mimetype'], 'image') !== 0)
+	if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))
 	{
-		$attachment['mimetype'] = (strpos(strtolower($user->browser), 'msie') !== false || strpos(strtolower($user->browser), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream';
+		$display_cat = ATTACHMENT_CATEGORY_NONE;
 	}
 
-	if (@ob_get_length())
+	if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))
 	{
-		@ob_end_clean();
+		$display_cat = ATTACHMENT_CATEGORY_NONE;
 	}
 
-	// Now send the File Contents to the Browser
-	$size = @filesize($filename);
-
-	// To correctly display further errors we need to make sure we are using the correct headers for both (unsetting content-length may not work)
-
-	// Check if headers already sent or not able to get the file contents.
-	if (headers_sent() || !@file_exists($filename) || !@is_readable($filename))
-	{
-		// PHP track_errors setting On?
-		if (!empty($php_errormsg))
-		{
-			send_status_line(500, 'Internal Server Error');
-			trigger_error($user->lang['UNABLE_TO_DELIVER_FILE'] . '<br />' . sprintf($user->lang['TRACKED_PHP_ERROR'], $php_errormsg));
-		}
-
-		send_status_line(500, 'Internal Server Error');
-		trigger_error('UNABLE_TO_DELIVER_FILE');
-	}
-
-	// Now the tricky part... let's dance
-	header('Pragma: public');
-
 	/**
-	* Commented out X-Sendfile support. To not expose the physical filename within the header if xsendfile is absent we need to look into methods of checking it's status.
-	*
-	* Try X-Sendfile since it is much more server friendly - only works if the path is *not* outside of the root path...
-	* lighttpd has core support for it. An apache2 module is available at http://celebnamer.celebworld.ws/stuff/mod_xsendfile/
+	* Event to modify data before sending file to browser
 	*
-	* Not really ideal, but should work fine...
-	* <code>
-	*	if (strpos($upload_dir, '/') !== 0 && strpos($upload_dir, '../') === false)
-	*	{
-	*		header('X-Sendfile: ' . $filename);
-	*	}
-	* </code>
+	* @event core.download_file_send_to_browser_before
+	* @var	int		attach_id			The attachment ID
+	* @var	array	attachment			Array with attachment data
+	* @var	int		display_cat			Attachment category
+	* @var	int		download_mode		File extension specific download mode
+	* @var	array	extensions			Array with file extensions data
+	* @var	string	mode				Download mode
+	* @var	bool	thumbnail			Flag indicating if the file is a thumbnail
+	* @since 3.1.6-RC1
+	* @changed 3.1.7-RC1	Fixing wrong name of a variable (replacing "extension" by "extensions")
 	*/
+	$vars = array(
+		'attach_id',
+		'attachment',
+		'display_cat',
+		'download_mode',
+		'extensions',
+		'mode',
+		'thumbnail',
+	);
+	extract($phpbb_dispatcher->trigger_event('core.download_file_send_to_browser_before', compact($vars)));
 
-	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
-	header('Content-Type: ' . $attachment['mimetype']);
-		
-	if (phpbb_is_greater_ie_version($user->browser, 7))
-	{
-		header('X-Content-Type-Options: nosniff');
-	}
-
-	if ($category == ATTACHMENT_CATEGORY_FLASH && request_var('view', 0) === 1)
-	{
-		// We use content-disposition: inline for flash files and view=1 to let it correctly play with flash player 10 - any other disposition will fail to play inline
-		header('Content-Disposition: inline');
-	}
-	else
-	{
-		if (empty($user->browser) || ((strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7)))
-		{
-			header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
-			if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
-			{
-				header('expires: -1');
-			}
-		}
-		else
-		{
-			header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
-			if (phpbb_is_greater_ie_version($user->browser, 7) && (strpos($attachment['mimetype'], 'image') !== 0))
-			{
-				header('X-Download-Options: noopen');
-			}
-		}
-	}
-
-	// Close the db connection before sending the file
-	$db->sql_close();
-
-	if (!set_modified_headers($attachment['filetime'], $user->browser))
-	{
-		// Send Content-Length only if set_modified_headers() does not send
-		// status 304 - Not Modified
-		if ($size)
-		{
-			header("Content-Length: $size");
-		}
-
-		// Try to deliver in chunks
-		@set_time_limit(0);
-
-		$fp = @fopen($filename, 'rb');
-
-		if ($fp !== false)
-		{
-			while (!feof($fp))
-			{
-				echo fread($fp, 8192);
-			}
-			fclose($fp);
-		}
-		else
-		{
-			@readfile($filename);
-		}
-
-		flush();
-	}
-	file_gc();
-}
-
-/**
-* Get a browser friendly UTF-8 encoded filename
-*/
-function header_filename($file)
-{
-	$user_agent = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
-
-	// There be dragons here.
-	// Not many follows the RFC...
-	if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Safari') !== false || strpos($user_agent, 'Konqueror') !== false)
+	if ($thumbnail)
 	{
-		return "filename=" . rawurlencode($file);
+		$attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
 	}
-
-	// follow the RFC for extended filename for the rest
-	return "filename*=UTF-8''" . rawurlencode($file);
-}
-
-/**
-* Check if downloading item is allowed
-*/
-function download_allowed()
-{
-	global $config, $user, $db;
-
-	if (!$config['secure_downloads'])
+	else if ($display_cat == ATTACHMENT_CATEGORY_NONE && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize']))
 	{
-		return true;
+		// Update download count
+		phpbb_increment_downloads($db, $attachment['attach_id']);
 	}
 
-	$url = (!empty($_SERVER['HTTP_REFERER'])) ? trim($_SERVER['HTTP_REFERER']) : trim(getenv('HTTP_REFERER'));
-
-	if (!$url)
+	if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && (strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7))
 	{
-		return ($config['secure_allow_empty_referer']) ? true : false;
-	}
-
-	// Split URL into domain and script part
-	$url = @parse_url($url);
-
-	if ($url === false)
-	{
-		return ($config['secure_allow_empty_referer']) ? true : false;
+		wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);
+		file_gc();
 	}
-
-	$hostname = $url['host'];
-	unset($url);
-
-	$allowed = ($config['secure_allow_deny']) ? false : true;
-	$iplist = array();
-
-	if (($ip_ary = @gethostbynamel($hostname)) !== false)
+	else
 	{
-		foreach ($ip_ary as $ip)
+		// Determine the 'presenting'-method
+		if ($download_mode == PHYSICAL_LINK)
 		{
-			if ($ip)
+			// This presenting method should no longer be used
+			if (!@is_dir($phpbb_root_path . $config['upload_path']))
 			{
-				$iplist[] = $ip;
+				send_status_line(500, 'Internal Server Error');
+				trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
 			}
-		}
-	}
-
-	// Check for own server...
-	$server_name = $user->host;
-
-	// Forcing server vars is the only way to specify/override the protocol
-	if ($config['force_server_vars'] || !$server_name)
-	{
-		$server_name = $config['server_name'];
-	}
-
-	if (preg_match('#^.*?' . preg_quote($server_name, '#') . '.*?$#i', $hostname))
-	{
-		$allowed = true;
-	}
-
-	// Get IP's and Hostnames
-	if (!$allowed)
-	{
-		$sql = 'SELECT site_ip, site_hostname, ip_exclude
-			FROM ' . SITELIST_TABLE;
-		$result = $db->sql_query($sql);
 
-		while ($row = $db->sql_fetchrow($result))
-		{
-			$site_ip = trim($row['site_ip']);
-			$site_hostname = trim($row['site_hostname']);
-
-			if ($site_ip)
-			{
-				foreach ($iplist as $ip)
-				{
-					if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_ip, '#')) . '$#i', $ip))
-					{
-						if ($row['ip_exclude'])
-						{
-							$allowed = ($config['secure_allow_deny']) ? false : true;
-							break 2;
-						}
-						else
-						{
-							$allowed = ($config['secure_allow_deny']) ? true : false;
-						}
-					}
-				}
-			}
-
-			if ($site_hostname)
-			{
-				if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_hostname, '#')) . '$#i', $hostname))
-				{
-					if ($row['ip_exclude'])
-					{
-						$allowed = ($config['secure_allow_deny']) ? false : true;
-						break;
-					}
-					else
-					{
-						$allowed = ($config['secure_allow_deny']) ? true : false;
-					}
-				}
-			}
-		}
-		$db->sql_freeresult($result);
-	}
-
-	return $allowed;
-}
-
-/**
-* Check if the browser has the file already and set the appropriate headers-
-* @returns false if a resend is in order.
-*/
-function set_modified_headers($stamp, $browser)
-{
-	// let's see if we have to send the file at all
-	$last_load 	=  isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime(trim($_SERVER['HTTP_IF_MODIFIED_SINCE'])) : false;
-		
-	if (strpos(strtolower($browser), 'msie 6.0') === false && !phpbb_is_greater_ie_version($browser, 7))
-	{
-		if ($last_load !== false && $last_load >= $stamp)
-		{
-			send_status_line(304, 'Not Modified');
-			// seems that we need those too ... browsers
-			header('Pragma: public');
-			header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
-			return true;
+			redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);
+			file_gc();
 		}
 		else
 		{
-			header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $stamp) . ' GMT');
+			send_file_to_browser($attachment, $config['upload_path'], $display_cat);
+			file_gc();
 		}
 	}
-	return false;
-}
-
-function file_gc()
-{
-	global $cache, $db;
-	if (!empty($cache))
-	{
-		$cache->unload();
-	}
-	$db->sql_close();
-	exit;
-}
-
-/**
-* Check if the browser is internet explorer version 7+
-*
-* @param string $user_agent	User agent HTTP header
-* @param int $version IE version to check against
-*
-* @return bool true if internet explorer version is greater than $version
-*/
-function phpbb_is_greater_ie_version($user_agent, $version)
-{
-	if (preg_match('/msie (\d+)/', strtolower($user_agent), $matches))
-	{
-		$ie_version = (int) $matches[1];
-		return ($ie_version > $version);
-	}
-	else
-	{
-		return false;
-	}
 }
-
-?>
-\ No newline at end of file
author	Maat <maat-pub@mageia.biz>	2020-05-08 18:29:30 +0200
committer	Maat <maat-pub@mageia.biz>	2020-05-08 21:36:04 +0200
commit	36bc1870f21fac04736a1049c1d5b8e127d729f4 (patch)
tree	9d102331eeaf1ef3cd23e656320d7c08e65757ed /phpBB/download/file.php
parent	8875d385d0579b451dac4d9bda465172b4f69ee0 (diff)
parent	149375253685b3a38996f63015a74b7a0f53aa14 (diff)
download	forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.gz forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.bz2 forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.xz forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.zip