+$topic_id = $request->variable('topic_id', 0);

+$post_msg_id = $request->variable('post_msg_id', 0);

+$archive = $request->variable('archive', '.tar');

+if (!$config['allow_attachments'] && !$config['allow_pm_attach'])

+ trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');

+if ($download_id)

+{

+ // Attachment id (only 1 attachment)

+ $sql_where = "attach_id = $download_id";

+}

+else if ($post_msg_id)

+{

+ // Post id or private message id (multiple attachments)

+ $sql_where = "post_msg_id = $post_msg_id AND is_orphan = 0";

+}

+else if ($topic_id)

+{

+ // Topic id (multiple attachments)

+ $sql_where = "topic_id = $topic_id AND is_orphan = 0";

+}

+else

+ trigger_error('NO_ATTACHMENT_SELECTED');

+$sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime

+ WHERE $sql_where";

+$result = $db->sql_query($sql);

+

+$attachments = $attachment_ids = array();

+while ($row = $db->sql_fetchrow($result))

+{

+ $attachment_id = (int) $row['attach_id'];

+

+ $row['physical_filename'] = utf8_basename($row['physical_filename']);

+

+ $attachment_ids[$attachment_id] = $attachment_id;

+ $attachments[$attachment_id] = $row;

+}

+// Make $attachment the first of the attachments we fetched.

+$attachment = current($attachments);

+

+if (empty($attachments))

+else if (!download_allowed())

+ send_status_line(403, 'Forbidden');

+ trigger_error($user->lang['LINKAGE_FORBIDDEN']);

+else if ($download_id)

+ // sizeof($attachments) == 1

+ if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach'])

+ trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');

+ if ($attachment['is_orphan'])

+ // We allow admins having attachment permissions to see orphan attachments...

+ $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;

+

+ if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))

+ send_status_line(404, 'Not Found');

+ trigger_error('ERROR_NO_ATTACHMENT');

+

+ // Obtain all extensions...

+ $extensions = $cache->obtain_attach_extensions(true);

+ if (!$attachment['in_message'])

+ phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']);

+ else

+ {

+ // Attachment is in a private message.

+ $row['forum_id'] = false;

+ phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);

+ }

+

+ $extensions = array();

+ if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))

+ {

+ send_status_line(404, 'Forbidden');

+ trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));

+ }

+ }

+

+ $download_mode = (int) $extensions[$attachment['extension']]['download_mode'];

+ $display_cat = $extensions[$attachment['extension']]['display_cat'];

+

+ if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))

+ {

+ $display_cat = ATTACHMENT_CATEGORY_NONE;

+ }

+

+ if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))

+ {

+ $display_cat = ATTACHMENT_CATEGORY_NONE;

+ }

+ if ($thumbnail)

+ {

+ $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];

+ }

+ else if ($display_cat == ATTACHMENT_CATEGORY_NONE && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize']))

+ {

+ // Update download count

+ phpbb_increment_downloads($db, $attachment['attach_id']);

+ }

+ if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && ((strpos(strtolower($user->browser), 'msie') !== false) && (strpos(strtolower($user->browser), 'msie 8.0') === false)))

+ {

+ wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);

+ file_gc();

+ }

+ else

+ {

+ // Determine the 'presenting'-method

+ if ($download_mode == PHYSICAL_LINK)

+ // This presenting method should no longer be used

+ if (!@is_dir($phpbb_root_path . $config['upload_path']))

+ send_status_line(500, 'Internal Server Error');

+ trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);

+ redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);

+ file_gc();

+ }

+ else

+ send_file_to_browser($attachment, $config['upload_path'], $display_cat);

+ file_gc();

+}

+else

+{

+ // sizeof($attachments) >= 1

+ if ($attachment['in_message'])

+ {

+ phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);

+ }

+ else

+ {

+ phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']);

+ }

+ if (!class_exists('compress'))

+ require $phpbb_root_path . 'includes/functions_compress.' . $phpEx;

+ if (!in_array($archive, compress::methods()))

+ {

+ $archive = '.tar';

+ }

+ if ($post_msg_id)

+ {

+ if ($attachment['in_message'])

+ {

+ $sql = 'SELECT message_subject AS attach_subject

+ FROM ' . PRIVMSGS_TABLE . "

+ WHERE msg_id = $post_msg_id";

+ }

+ else

+ {

+ $sql = 'SELECT post_subject AS attach_subject, forum_id

+ FROM ' . POSTS_TABLE . "

+ WHERE post_id = $post_msg_id";

+ }

+ }

+ else

+ {

+ $sql = 'SELECT topic_title AS attach_subject, forum_id

+ FROM ' . TOPICS_TABLE . "

+ WHERE topic_id = $topic_id";

+ }

+ $result = $db->sql_query($sql);

+ $row = $db->sql_fetchrow($result);

+ $db->sql_freeresult($result);

+ if (empty($row))

+ {

+ send_status_line(404, 'Not Found');

+ trigger_error('ERROR_NO_ATTACHMENT');

+ }

+ $clean_name = phpbb_download_clean_filename($row['attach_subject']);

+ $suffix = '_' . (($post_msg_id) ? $post_msg_id : $topic_id) . '_' . $clean_name;

+ $archive_name = 'attachments' . $suffix;

+ $store_name = 'att_' . time() . '_' . unique_id();

+ $archive_path = "{$phpbb_root_path}store/{$store_name}{$archive}";

+ if ($archive === '.zip')

+ {

+ $compress = new compress_zip('w', $archive_path);

+ }

+ else

+ {

+ $compress = new compress_tar('w', $archive_path, $archive);

+ }

+ $extensions = array();

+ $files_added = 0;

+ $forum_id = ($attachment['in_message']) ? false : (int) $row['forum_id'];

+ $disallowed = array();

+ foreach ($attachments as $attach)

+ if (!extension_allowed($forum_id, $attach['extension'], $extensions))

+ {

+ $disallowed[$attach['extension']] = $attach['extension'];

+ continue;

+ }

+

+ $prefix = '';

+ if ($topic_id)

+ $prefix = $attach['post_msg_id'] . '_';

+ $compress->add_custom_file("{$phpbb_root_path}files/{$attach['physical_filename']}", "{$prefix}{$attach['real_filename']}");

+ $files_added++;

+

+ $compress->close();

+

+ if ($files_added)

+ phpbb_increment_downloads($db, $attachment_ids);

+ $compress->download($store_name, $archive_name);

+ }

+

+ unlink($archive_path);

+

+ if (!$files_added)

+ {

+ // None of the attachments had a valid extension

+ $disallowed = implode($user->lang['COMMA_SEPARATOR'], $disallowed);

+ send_status_line(404, 'Forbidden');

+ trigger_error($user->lang('EXTENSION_DISABLED_AFTER_POSTING', $disallowed));

+

+ file_gc();

+abstract class phpbb_cache_driver_memory extends phpbb_cache_driver_base

+ if (defined('DEBUG_TEST') || $diff && ($diff <= $timespan || $timespan === -1))

+

+/**

+* Generate a list of archive types available for compressing attachments

+*

+* @param string $param_key Either topic_id or post_id

+* @param string $param_val The value of the topic or post id

+* @param string $phpbb_root_path The root path of the phpBB installation

+* @param string $phpEx The PHP extension

+*

+* @return array Array containing the link and the type of compression

+*/

+function phpbb_gen_download_links($param_key, $param_val, $phpbb_root_path, $phpEx)

+{

+ if (!class_exists('compress'))

+ {

+ require $phpbb_root_path . 'includes/functions_compress.' . $phpEx;

+ }

+

+ $methods = compress::methods();

+ $links = array();

+

+ foreach ($methods as $method)

+ {

+ $type = array_pop(explode('.', $method));

+ $params = array('archive' => $method);

+ $params[$param_key] = $param_val;

+

+ $links[] = array(

+ 'LINK' => append_sid("{$phpbb_root_path}download/file.$phpEx", $params),

+ 'TYPE' => $type,

+ );

+ }

+

+ return $links;

+}

+

+/**

+* Increments the download count of all provided attachments

+*

+* @param dbal $db The database object

+* @param array|int $ids The attach_id of each attachment

+*

+* @return null

+*/

+function phpbb_increment_downloads($db, $ids)

+{

+ if (!is_array($ids))

+ {

+ $ids = array($ids);

+ }

+

+ $sql = 'UPDATE ' . ATTACHMENTS_TABLE . '

+ SET download_count = download_count + 1

+ WHERE ' . $db->sql_in_set('attach_id', $ids);

+ $db->sql_query($sql);

+}

+

+/**

+* Handles authentication when downloading attachments from a post or topic

+*

+* @param dbal $db The database object

+* @param phpbb_auth $auth The authentication object

+* @param int $topic_id The id of the topic that we are downloading from

+*

+* @return null

+*/

+function phpbb_download_handle_forum_auth($db, $auth, $topic_id)

+{

+ $sql = 'SELECT t.forum_id, f.forum_password, f.parent_id

+ FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f

+ WHERE t.topic_id = " . (int) $topic_id . "

+ AND t.forum_id = f.forum_id";

+ $result = $db->sql_query($sql);

+ $row = $db->sql_fetchrow($result);

+ $db->sql_freeresult($result);

+

+ if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))

+ {

+ if ($row && $row['forum_password'])

+ {

+ // Do something else ... ?

+ login_forum_box($row);

+ }

+ }

+ else

+ {

+ send_status_line(403, 'Forbidden');

+ trigger_error('SORRY_AUTH_VIEW_ATTACH');

+ }

+}

+

+/**

+* Handles authentication when downloading attachments from PMs

+*

+* @param dbal $db The database object

+* @param phpbb_auth $auth The authentication object

+* @param int $user_id The user id

+* @param int $msg_id The id of the PM that we are downloading from

+*

+* @return null

+*/

+function phpbb_download_handle_pm_auth($db, $auth, $user_id, $msg_id)

+{

+ if (!$auth->acl_get('u_pm_download'))

+ {

+ send_status_line(403, 'Forbidden');

+ trigger_error('SORRY_AUTH_VIEW_ATTACH');

+ }

+

+ $allowed = phpbb_download_check_pm_auth($db, $user_id, $msg_id);

+

+ if (!$allowed)

+ {

+ send_status_line(403, 'Forbidden');

+ trigger_error('ERROR_NO_ATTACHMENT');

+ }

+}

+

+/**

+* Checks whether a user can download from a particular PM

+*

+* @param dbal $db The database object

+* @param int $user_id The user id

+* @param int $msg_id The id of the PM that we are downloading from

+*

+* @return bool Whether the user is allowed to download from that PM or not

+*/

+function phpbb_download_check_pm_auth($db, $user_id, $msg_id)

+{

+ // Check if the attachment is within the users scope...

+ $sql = 'SELECT msg_id

+ FROM ' . PRIVMSGS_TO_TABLE . '

+ WHERE msg_id = ' . (int) $msg_id . '

+ AND (

+ user_id = ' . (int) $user_id . '

+ OR author_id = ' . (int) $user_id . '

+ )';

+ $result = $db->sql_query_limit($sql, 1);

+ $allowed = (bool) $db->sql_fetchfield('msg_id');

+ $db->sql_freeresult($result);

+

+ return $allowed;

+}

+

+/**

+* Cleans a filename of any characters that could potentially cause a problem on

+* a user's filesystem.

+*

+* @param string $filename The filename to clean

+*

+* @return string The cleaned filename

+*/

+function phpbb_download_clean_filename($filename)

+{

+ $bad_chars = array("'", "\\", ' ', '/', ':', '*', '?', '"', '<', '>', '|');

+

+ // rawurlencode to convert any potentially 'bad' characters that we missed

+ $filename = rawurlencode(str_replace($bad_chars, '_', $filename));

+

+ // Turn the %xx entities created by rawurlencode to _

+ $filename = preg_replace("/%(\w{2})/", '_', $filename);

+

+ return $filename;

+}

+* @param bool $debug_test If the DEBUG_TEST constant should be added

+* NOTE: Only for use within the testing framework

+function phpbb_create_config_file_data($data, $dbms, $load_extensions, $debug = false, $debug_test = false)

+ if ($debug_test)

+ {

+ $config_data .= "@define('DEBUG_TEST', true);\n";

+ }

+

+ 'S_HAS_MULTIPLE_ATTACHMENTS' => (sizeof($attachments) > 1),

+ $methods = phpbb_gen_download_links('post_msg_id', $msg_id, $phpbb_root_path, $phpEx);

+ foreach ($methods as $method)

+ {

+ $template->assign_block_vars('dl_method', $method);

+ }

+

+ 'DOWNLOAD_ALL' => 'Download all',

+ 'DOWNLOAD_ALL_ATTACHMENTS' => 'Download all attachments',

+ 'MESSAGE_REMOVED_FROM_OUTBOX' => 'This message was deleted by its author.',

+ 'EDIT_REASON' => $request->variable('edit_reason', ''),

+ <li id="display-panel-tab"<!-- IF not S_MERGE_VIEW --> class="activetab"<!-- ENDIF -->>

+ <dl class="attachbox">

+ <dt>

+ {L_ATTACHMENTS}

+ <!-- IF S_HAS_MULTIPLE_ATTACHMENTS -->

+ <div class="dl_links">

+ <strong>{L_DOWNLOAD_ALL}:</strong>

+ <ul>

+ <!-- BEGIN dl_method -->

+ <li>[ <a href="{dl_method.LINK}">{dl_method.TYPE}</a> ]</li>

+ <!-- END dl_method -->

+ </ul>

+ </div>

+ <!-- ENDIF -->

+ </dt>

+ <!-- BEGIN attachment -->

+ <dd>{attachment.DISPLAY_ATTACHMENT}</dd>

+ <!-- END attachment -->

+ </dl>

+ <dt>

+ {L_ATTACHMENTS}

+ <!-- IF postrow.S_MULTIPLE_ATTACHMENTS -->

+ <div class="dl_links">

+ <strong>{L_DOWNLOAD_ALL}:</strong>

+ <ul>

+ <!-- BEGIN dl_method -->

+ <li>[ <a href="{postrow.dl_method.LINK}">{postrow.dl_method.TYPE}</a> ]</li>

+ <!-- END dl_method -->

+ </ul>

+ </div>

+ <!-- ENDIF -->

+ </dt>

+ <!-- IF S_HAS_ATTACHMENTS -->

+ <div class="dl_links">

+ <strong>{L_DOWNLOAD_ALL_ATTACHMENTS}:</strong>

+ <ul>

+ <!-- BEGIN dl_method -->

+ <li>[ <a href="{dl_method.LINK}">{dl_method.TYPE}</a> ]</li>

+ <!-- END dl_method -->

+ </ul>

+ </div>

+ <!-- ENDIF -->

+

+

+.topic-actions div.dl_links {

+ padding: 10px 0 0 10px;

+}

+

+div.dl_links {

+ display: inline-block;

+ text-transform: none;

+}

+

+.dl_links strong {

+ font-weight: bold;

+}

+

+.dl_links ul {

+ list-style-type: none;

+ margin: 0;

+ display: inline-block;

+}

+

+.dl_links li {

+ display: inline-block;

+}

+$template->assign_vars(array(

+ 'S_HAS_ATTACHMENTS' => !empty($attachments),

+));

+

+$methods = phpbb_gen_download_links('topic_id', $topic_id, $phpbb_root_path, $phpEx);

+foreach ($methods as $method)

+{

+ $template->assign_block_vars('dl_method', $method);

+}

+

+ 'S_MULTIPLE_ATTACHMENTS' => !empty($attachments[$row['post_id']]) && sizeof($attachments[$row['post_id']]) > 1,

+

+ $methods = phpbb_gen_download_links('post_msg_id', $row['post_id'], $phpbb_root_path, $phpEx);

+ foreach ($methods as $method)

+ {

+ $template->assign_block_vars('postrow.dl_method', $method);

+ }

+<?php

+/**

+*

+* @package testing

+* @copyright (c) 2012 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+/**

+* @group functional

+*/

+class phpbb_functional_posting_test extends phpbb_functional_test_case

+{

+ public function test_post_new_topic()

+ {

+ $this->login();

+ $this->add_lang('posting');

+

+ $crawler = $this->request('GET', 'posting.php?mode=post&f=2&sid=' . $this->sid);

+ $this->assertContains($this->lang('POST_TOPIC'), $crawler->filter('html')->text());

+

+ $hidden_fields = array();

+ $hidden_fields[] = $crawler->filter('[type="hidden"]')->each(function ($node, $i) {

+ return array('name' => $node->getAttribute('name'), 'value' => $node->getAttribute('value'));

+ });

+

+ $test_message = 'This is a test topic posted by the testing framework.';

+ $form_data = array(

+ 'subject' => 'Test Topic 1',

+ 'message' => $test_message,

+ 'post' => true,

+ 'f' => 2,

+ 'mode' => 'post',

+ 'sid' => $this->sid,

+ );

+

+ foreach ($hidden_fields as $fields)

+ {

+ foreach($fields as $field)

+ {

+ $form_data[$field['name']] = $field['value'];

+ }

+ }

+

+ // Bypass time restriction that said that if the lastclick time (i.e. time when the form was opened)

+ // is not at least 2 seconds before submission, cancel the form

+ $form_data['lastclick'] = 0;

+

+ // I use a request because the form submission method does not allow you to send data that is not

+ // contained in one of the actual form fields that the browser sees (i.e. it ignores "hidden" inputs)

+ // Instead, I send it as a request with the submit button "post" set to true.

+ $crawler = $this->client->request('POST', 'posting.php', $form_data);

+ $this->assertContains($this->lang('POST_STORED'), $crawler->filter('html')->text());

+

+ $crawler = $this->request('GET', 'viewtopic.php?t=2&sid=' . $this->sid);

+ $this->assertContains($test_message, $crawler->filter('html')->text());

+ }

+

+ public function test_post_reply()

+ {

+ $this->login();

+ $this->add_lang('posting');

+

+ $crawler = $this->request('GET', 'posting.php?mode=reply&t=2&f=2&sid=' . $this->sid);

+ $this->assertContains($this->lang('POST_REPLY'), $crawler->filter('html')->text());

+

+ $hidden_fields = array();

+ $hidden_fields[] = $crawler->filter('[type="hidden"]')->each(function ($node, $i) {

+ return array('name' => $node->getAttribute('name'), 'value' => $node->getAttribute('value'));

+ });

+

+ $test_message = 'This is a test post posted by the testing framework.';

+ $form_data = array(

+ 'subject' => 'Re: Test Topic 1',

+ 'message' => $test_message,

+ 'post' => true,

+ 't' => 2,

+ 'f' => 2,

+ 'mode' => 'reply',

+ 'sid' => $this->sid,

+ );

+

+ foreach ($hidden_fields as $fields)

+ {

+ foreach($fields as $field)

+ {

+ $form_data[$field['name']] = $field['value'];

+ }

+ }

+

+ // For reasoning behind the following command, see the test_post_new_topic() test

+ $form_data['lastclick'] = 0;

+

+ // Submit the post

+ $crawler = $this->client->request('POST', 'posting.php', $form_data);

+ $this->assertContains($this->lang('POST_STORED'), $crawler->filter('html')->text());

+

+ $crawler = $this->request('GET', 'viewtopic.php?t=2&sid=' . $this->sid);

+ $this->assertContains($test_message, $crawler->filter('html')->text());

+ }

+}

+ file_put_contents($phpbb_root_path . "config.$phpEx", phpbb_create_config_file_data($data, self::$config['dbms'], array(), true, true));