diff options
Diffstat (limited to 'phpBB/download')
| -rw-r--r-- | phpBB/download/file.php | 687 |
1 files changed, 198 insertions, 489 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 3ceb1ee0cc..eee2090da0 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -2,12 +2,15 @@ /** * * @package phpBB3 -* @version $Id$ * @copyright (c) 2005 phpBB Group -* @license http://opensource.org/licenses/gpl-license.php GNU Public License +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 * */ +use Symfony\Component\Config\FileLocator; +use Symfony\Component\DependencyInjection\ContainerBuilder; +use Symfony\Component\DependencyInjection\Loader\YamlFileLoader; + /** * @ignore */ @@ -15,7 +18,6 @@ define('IN_PHPBB', true); $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../'; $phpEx = substr(strrchr(__FILE__, '.'), 1); - // Thank you sun. if (isset($_SERVER['CONTENT_TYPE'])) { @@ -39,14 +41,33 @@ if (isset($_GET['avatar'])) exit; } - require($phpbb_root_path . 'includes/acm/acm_' . $acm_type . '.' . $phpEx); - require($phpbb_root_path . 'includes/cache.' . $phpEx); - require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx); + require($phpbb_root_path . 'includes/class_loader.' . $phpEx); + require($phpbb_root_path . 'includes/constants.' . $phpEx); require($phpbb_root_path . 'includes/functions.' . $phpEx); + require($phpbb_root_path . 'includes/functions_container.' . $phpEx); + require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx); + require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx); + + // Setup class loader first + $phpbb_class_loader = new phpbb_class_loader('phpbb_', "{$phpbb_root_path}includes/", $phpEx); + $phpbb_class_loader->register(); + $phpbb_class_loader_ext = new phpbb_class_loader('phpbb_ext_', "{$phpbb_root_path}ext/", $phpEx); + $phpbb_class_loader_ext->register(); - $db = new $sql_db(); - $cache = new cache(); + // Set up container + $phpbb_container = phpbb_create_default_container($phpbb_root_path, $phpEx); + + $phpbb_class_loader->set_cache($phpbb_container->get('cache.driver')); + $phpbb_class_loader_ext->set_cache($phpbb_container->get('cache.driver')); + + // set up caching + $cache = $phpbb_container->get('cache'); + + $phpbb_dispatcher = $phpbb_container->get('dispatcher'); + $request = $phpbb_container->get('request'); + $db = $phpbb_container->get('dbal.conn'); + $phpbb_log = $phpbb_container->get('log'); // Connect to DB if (!@$db->sql_connect($dbhost, $dbuser, $dbpasswd, $dbname, $dbport, false, false)) @@ -55,10 +76,21 @@ if (isset($_GET['avatar'])) } unset($dbpasswd); + request_var('', 0, false, false, $request); + + $config = $phpbb_container->get('config'); + set_config(null, null, null, $config); + set_config_count(null, null, null, $config); + + // load extensions + $phpbb_extension_manager = $phpbb_container->get('ext.manager'); + $phpbb_subscriber_loader = $phpbb_container->get('event.subscriber_loader'); + // worst-case default - $browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0'; + $browser = strtolower($request->header('User-Agent', 'msie 6.0')); + + $phpbb_avatar_manager = $phpbb_container->get('avatar.manager'); - $config = $cache->obtain_config(); $filename = request_var('avatar', ''); $avatar_group = false; $exit = false; @@ -108,8 +140,12 @@ if (isset($_GET['avatar'])) // implicit else: we are not in avatar mode include($phpbb_root_path . 'common.' . $phpEx); +require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx); $download_id = request_var('id', 0); +$topic_id = $request->variable('topic_id', 0); +$post_msg_id = $request->variable('post_msg_id', 0); +$archive = $request->variable('archive', '.tar'); $mode = request_var('mode', ''); $thumbnail = request_var('t', false); @@ -118,595 +154,268 @@ $user->session_begin(false); $auth->acl($user->data); $user->setup('viewtopic'); -if (!$download_id) -{ - send_status_line(404, 'Not Found'); - trigger_error('NO_ATTACHMENT_SELECTED'); -} - if (!$config['allow_attachments'] && !$config['allow_pm_attach']) { send_status_line(404, 'Not Found'); trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); } -$sql = 'SELECT attach_id, in_message, post_msg_id, extension, is_orphan, poster_id, filetime - FROM ' . ATTACHMENTS_TABLE . " - WHERE attach_id = $download_id"; -$result = $db->sql_query_limit($sql, 1); -$attachment = $db->sql_fetchrow($result); -$db->sql_freeresult($result); - -if (!$attachment) +if ($download_id) { - send_status_line(404, 'Not Found'); - trigger_error('ERROR_NO_ATTACHMENT'); + // Attachment id (only 1 attachment) + $sql_where = "attach_id = $download_id"; } - -if ((!$attachment['in_message'] && !$config['allow_attachments']) || ($attachment['in_message'] && !$config['allow_pm_attach'])) +else if ($post_msg_id) { - send_status_line(404, 'Not Found'); - trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); + // Post id or private message id (multiple attachments) + $sql_where = "post_msg_id = $post_msg_id AND is_orphan = 0"; } - -$row = array(); - -if ($attachment['is_orphan']) +else if ($topic_id) { - // We allow admins having attachment permissions to see orphan attachments... - $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false; - - if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download'))) - { - send_status_line(404, 'Not Found'); - trigger_error('ERROR_NO_ATTACHMENT'); - } - - // Obtain all extensions... - $extensions = $cache->obtain_attach_extensions(true); + // Topic id (multiple attachments) + $sql_where = "topic_id = $topic_id AND is_orphan = 0"; } else { - if (!$attachment['in_message']) - { - // - $sql = 'SELECT p.forum_id, f.forum_name, f.forum_password, f.parent_id - FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f - WHERE p.post_id = ' . $attachment['post_msg_id'] . ' - AND p.forum_id = f.forum_id'; - $result = $db->sql_query_limit($sql, 1); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - // Global announcement? - $f_download = (!$row) ? $auth->acl_getf_global('f_download') : $auth->acl_get('f_download', $row['forum_id']); - - if ($auth->acl_get('u_download') && $f_download) - { - if ($row && $row['forum_password']) - { - // Do something else ... ? - login_forum_box($row); - } - } - else - { - send_status_line(403, 'Forbidden'); - trigger_error('SORRY_AUTH_VIEW_ATTACH'); - } - } - else - { - $row['forum_id'] = false; - if (!$auth->acl_get('u_pm_download')) - { - send_status_line(403, 'Forbidden'); - trigger_error('SORRY_AUTH_VIEW_ATTACH'); - } - - // Check if the attachment is within the users scope... - $sql = 'SELECT user_id, author_id - FROM ' . PRIVMSGS_TO_TABLE . ' - WHERE msg_id = ' . $attachment['post_msg_id']; - $result = $db->sql_query($sql); - - $allowed = false; - while ($user_row = $db->sql_fetchrow($result)) - { - if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id']) - { - $allowed = true; - break; - } - } - $db->sql_freeresult($result); - - if (!$allowed) - { - send_status_line(403, 'Forbidden'); - trigger_error('ERROR_NO_ATTACHMENT'); - } - } - - // disallowed? - $extensions = array(); - if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions)) - { - send_status_line(404, 'Forbidden'); - trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension'])); - } -} - -if (!download_allowed()) -{ - send_status_line(403, 'Forbidden'); - trigger_error($user->lang['LINKAGE_FORBIDDEN']); + send_status_line(404, 'Not Found'); + trigger_error('NO_ATTACHMENT_SELECTED'); } -$download_mode = (int) $extensions[$attachment['extension']]['download_mode']; - -// Fetching filename here to prevent sniffing of filename -$sql = 'SELECT attach_id, is_orphan, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype, filetime +$sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime FROM ' . ATTACHMENTS_TABLE . " - WHERE attach_id = $download_id"; -$result = $db->sql_query_limit($sql, 1); -$attachment = $db->sql_fetchrow($result); -$db->sql_freeresult($result); + WHERE $sql_where"; +$result = $db->sql_query($sql); -if (!$attachment) +$attachments = $attachment_ids = array(); +while ($row = $db->sql_fetchrow($result)) { - send_status_line(404, 'Not Found'); - trigger_error('ERROR_NO_ATTACHMENT'); -} + $attachment_id = (int) $row['attach_id']; -$attachment['physical_filename'] = utf8_basename($attachment['physical_filename']); -$display_cat = $extensions[$attachment['extension']]['display_cat']; + $row['physical_filename'] = utf8_basename($row['physical_filename']); -if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg')) -{ - $display_cat = ATTACHMENT_CATEGORY_NONE; + $attachment_ids[$attachment_id] = $attachment_id; + $attachments[$attachment_id] = $row; } +$db->sql_freeresult($result); -if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash')) -{ - $display_cat = ATTACHMENT_CATEGORY_NONE; -} +// Make $attachment the first of the attachments we fetched. +$attachment = current($attachments); -if ($thumbnail) -{ - $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename']; -} -else if (($display_cat == ATTACHMENT_CATEGORY_NONE/* || $display_cat == ATTACHMENT_CATEGORY_IMAGE*/) && !$attachment['is_orphan']) +if (empty($attachments)) { - // Update download count - $sql = 'UPDATE ' . ATTACHMENTS_TABLE . ' - SET download_count = download_count + 1 - WHERE attach_id = ' . $attachment['attach_id']; - $db->sql_query($sql); + send_status_line(404, 'Not Found'); + trigger_error('ERROR_NO_ATTACHMENT'); } - -if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && ((strpos(strtolower($user->browser), 'msie') !== false) && (strpos(strtolower($user->browser), 'msie 8.0') === false))) +else if (!download_allowed()) { - wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']); - file_gc(); + send_status_line(403, 'Forbidden'); + trigger_error($user->lang['LINKAGE_FORBIDDEN']); } -else +else if ($download_id) { - // Determine the 'presenting'-method - if ($download_mode == PHYSICAL_LINK) - { - // This presenting method should no longer be used - if (!@is_dir($phpbb_root_path . $config['upload_path'])) - { - send_status_line(500, 'Internal Server Error'); - trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']); - } + // sizeof($attachments) == 1 - redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']); - file_gc(); - } - else + if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach']) { - send_file_to_browser($attachment, $config['upload_path'], $display_cat); - file_gc(); + send_status_line(404, 'Not Found'); + trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); } -} - -/** -* A simplified function to deliver avatars -* The argument needs to be checked before calling this function. -*/ -function send_avatar_to_browser($file, $browser) -{ - global $config, $phpbb_root_path; - - $prefix = $config['avatar_salt'] . '_'; - $image_dir = $config['avatar_path']; - - // Adjust image_dir path (no trailing slash) - if (substr($image_dir, -1, 1) == '/' || substr($image_dir, -1, 1) == '\\') + if ($attachment['is_orphan']) { - $image_dir = substr($image_dir, 0, -1) . '/'; - } - $image_dir = str_replace(array('../', '..\\', './', '.\\'), '', $image_dir); + // We allow admins having attachment permissions to see orphan attachments... + $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false; - if ($image_dir && ($image_dir[0] == '/' || $image_dir[0] == '\\')) - { - $image_dir = ''; - } - $file_path = $phpbb_root_path . $image_dir . '/' . $prefix . $file; + if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download'))) + { + send_status_line(404, 'Not Found'); + trigger_error('ERROR_NO_ATTACHMENT'); + } - if ((@file_exists($file_path) && @is_readable($file_path)) && !headers_sent()) + // Obtain all extensions... + $extensions = $cache->obtain_attach_extensions(true); + } + else { - header('Pragma: public'); - - $image_data = @getimagesize($file_path); - header('Content-Type: ' . image_type_to_mime_type($image_data[2])); - - if (strpos(strtolower($browser), 'msie') !== false && strpos(strtolower($browser), 'msie 8.0') === false) + if (!$attachment['in_message']) { - header('Content-Disposition: attachment; ' . header_filename($file)); - - if (strpos(strtolower($browser), 'msie 6.0') !== false) - { - header('Expires: -1'); - } - else - { - header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000)); - } + phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']); } else { - header('Content-Disposition: inline; ' . header_filename($file)); - header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000)); - } - - $size = @filesize($file_path); - if ($size) - { - header("Content-Length: $size"); + // Attachment is in a private message. + $row['forum_id'] = false; + phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']); } - if (@readfile($file_path) == false) + $extensions = array(); + if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions)) { - $fp = @fopen($file_path, 'rb'); - - if ($fp !== false) - { - while (!feof($fp)) - { - echo fread($fp, 8192); - } - fclose($fp); - } + send_status_line(404, 'Forbidden'); + trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension'])); } - - flush(); - } - else - { - send_status_line(404, 'Not Found'); } -} - -/** -* Wraps an url into a simple html page. Used to display attachments in IE. -* this is a workaround for now; might be moved to template system later -* direct any complaints to 1 Microsoft Way, Redmond -*/ -function wrap_img_in_html($src, $title) -{ - echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-Strict.dtd">'; - echo '<html>'; - echo '<head>'; - echo '<meta http-equiv="content-type" content="text/html; charset=UTF-8" />'; - echo '<title>' . $title . '</title>'; - echo '</head>'; - echo '<body>'; - echo '<div>'; - echo '<img src="' . $src . '" alt="' . $title . '" />'; - echo '</div>'; - echo '</body>'; - echo '</html>'; -} - -/** -* Send file to browser -*/ -function send_file_to_browser($attachment, $upload_dir, $category) -{ - global $user, $db, $config, $phpbb_root_path; - - $filename = $phpbb_root_path . $upload_dir . '/' . $attachment['physical_filename']; - if (!@file_exists($filename)) - { - send_status_line(404, 'Not Found'); - trigger_error('ERROR_NO_ATTACHMENT'); - } + $download_mode = (int) $extensions[$attachment['extension']]['download_mode']; + $display_cat = $extensions[$attachment['extension']]['display_cat']; - // Correct the mime type - we force application/octetstream for all files, except images - // Please do not change this, it is a security precaution - if ($category != ATTACHMENT_CATEGORY_IMAGE || strpos($attachment['mimetype'], 'image') !== 0) + if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg')) { - $attachment['mimetype'] = (strpos(strtolower($user->browser), 'msie') !== false || strpos(strtolower($user->browser), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream'; + $display_cat = ATTACHMENT_CATEGORY_NONE; } - if (@ob_get_length()) + if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash')) { - @ob_end_clean(); + $display_cat = ATTACHMENT_CATEGORY_NONE; } - // Now send the File Contents to the Browser - $size = @filesize($filename); - - // To correctly display further errors we need to make sure we are using the correct headers for both (unsetting content-length may not work) - - // Check if headers already sent or not able to get the file contents. - if (headers_sent() || !@file_exists($filename) || !@is_readable($filename)) + if ($thumbnail) { - // PHP track_errors setting On? - if (!empty($php_errormsg)) - { - send_status_line(500, 'Internal Server Error'); - trigger_error($user->lang['UNABLE_TO_DELIVER_FILE'] . '<br />' . sprintf($user->lang['TRACKED_PHP_ERROR'], $php_errormsg)); - } - - send_status_line(500, 'Internal Server Error'); - trigger_error('UNABLE_TO_DELIVER_FILE'); + $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename']; } - - // Now the tricky part... let's dance - header('Pragma: public'); - - /** - * Commented out X-Sendfile support. To not expose the physical filename within the header if xsendfile is absent we need to look into methods of checking it's status. - * - * Try X-Sendfile since it is much more server friendly - only works if the path is *not* outside of the root path... - * lighttpd has core support for it. An apache2 module is available at http://celebnamer.celebworld.ws/stuff/mod_xsendfile/ - * - * Not really ideal, but should work fine... - * <code> - * if (strpos($upload_dir, '/') !== 0 && strpos($upload_dir, '../') === false) - * { - * header('X-Sendfile: ' . $filename); - * } - * </code> - */ - - // Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer. - $is_ie8 = (strpos(strtolower($user->browser), 'msie 8.0') !== false); - header('Content-Type: ' . $attachment['mimetype']); - - if ($is_ie8) + else if ($display_cat == ATTACHMENT_CATEGORY_NONE && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize'])) { - header('X-Content-Type-Options: nosniff'); + // Update download count + phpbb_increment_downloads($db, $attachment['attach_id']); } - if ($category == ATTACHMENT_CATEGORY_FLASH && request_var('view', 0) === 1) + if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && ((strpos(strtolower($user->browser), 'msie') !== false) && (strpos(strtolower($user->browser), 'msie 8.0') === false))) { - // We use content-disposition: inline for flash files and view=1 to let it correctly play with flash player 10 - any other disposition will fail to play inline - header('Content-Disposition: inline'); + wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']); + file_gc(); } else { - if (empty($user->browser) || (!$is_ie8 && (strpos(strtolower($user->browser), 'msie') !== false))) + // Determine the 'presenting'-method + if ($download_mode == PHYSICAL_LINK) { - header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename']))); - if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false)) + // This presenting method should no longer be used + if (!@is_dir($phpbb_root_path . $config['upload_path'])) { - header('expires: -1'); + send_status_line(500, 'Internal Server Error'); + trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']); } + + redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']); + file_gc(); } else { - header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename']))); - if ($is_ie8 && (strpos($attachment['mimetype'], 'image') !== 0)) - { - header('X-Download-Options: noopen'); - } + send_file_to_browser($attachment, $config['upload_path'], $display_cat); + file_gc(); } } - - if ($size) +} +else +{ + // sizeof($attachments) >= 1 + if ($attachment['in_message']) { - header("Content-Length: $size"); + phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']); + } + else + { + phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']); } - // Close the db connection before sending the file - $db->sql_close(); - - if (!set_modified_headers($attachment['filetime'], $user->browser)) + if (!class_exists('compress')) { - // Try to deliver in chunks - @set_time_limit(0); + require $phpbb_root_path . 'includes/functions_compress.' . $phpEx; + } - $fp = @fopen($filename, 'rb'); + if (!in_array($archive, compress::methods())) + { + $archive = '.tar'; + } - if ($fp !== false) + if ($post_msg_id) + { + if ($attachment['in_message']) { - while (!feof($fp)) - { - echo fread($fp, 8192); - } - fclose($fp); + $sql = 'SELECT message_subject AS attach_subject + FROM ' . PRIVMSGS_TABLE . " + WHERE msg_id = $post_msg_id"; } else { - @readfile($filename); + $sql = 'SELECT post_subject AS attach_subject, forum_id + FROM ' . POSTS_TABLE . " + WHERE post_id = $post_msg_id"; } - - flush(); } - file_gc(); -} - -/** -* Get a browser friendly UTF-8 encoded filename -*/ -function header_filename($file) -{ - $user_agent = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; - - // There be dragons here. - // Not many follows the RFC... - if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Safari') !== false || strpos($user_agent, 'Konqueror') !== false) + else { - return "filename=" . rawurlencode($file); + $sql = 'SELECT topic_title AS attach_subject, forum_id + FROM ' . TOPICS_TABLE . " + WHERE topic_id = $topic_id"; } - // follow the RFC for extended filename for the rest - return "filename*=UTF-8''" . rawurlencode($file); -} - -/** -* Check if downloading item is allowed -*/ -function download_allowed() -{ - global $config, $user, $db; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); - if (!$config['secure_downloads']) + if (empty($row)) { - return true; + send_status_line(404, 'Not Found'); + trigger_error('ERROR_NO_ATTACHMENT'); } - $url = (!empty($_SERVER['HTTP_REFERER'])) ? trim($_SERVER['HTTP_REFERER']) : trim(getenv('HTTP_REFERER')); + $clean_name = phpbb_download_clean_filename($row['attach_subject']); + $suffix = '_' . (($post_msg_id) ? $post_msg_id : $topic_id) . '_' . $clean_name; + $archive_name = 'attachments' . $suffix; - if (!$url) + $store_name = 'att_' . time() . '_' . unique_id(); + $archive_path = "{$phpbb_root_path}store/{$store_name}{$archive}"; + + if ($archive === '.zip') { - return ($config['secure_allow_empty_referer']) ? true : false; + $compress = new compress_zip('w', $archive_path); } - - // Split URL into domain and script part - $url = @parse_url($url); - - if ($url === false) + else { - return ($config['secure_allow_empty_referer']) ? true : false; + $compress = new compress_tar('w', $archive_path, $archive); } - $hostname = $url['host']; - unset($url); - - $allowed = ($config['secure_allow_deny']) ? false : true; - $iplist = array(); + $extensions = array(); + $files_added = 0; + $forum_id = ($attachment['in_message']) ? false : (int) $row['forum_id']; + $disallowed = array(); - if (($ip_ary = @gethostbynamel($hostname)) !== false) + foreach ($attachments as $attach) { - foreach ($ip_ary as $ip) + if (!extension_allowed($forum_id, $attach['extension'], $extensions)) { - if ($ip) - { - $iplist[] = $ip; - } + $disallowed[$attach['extension']] = $attach['extension']; + continue; } - } - // Check for own server... - $server_name = $user->host; + $prefix = ''; + if ($topic_id) + { + $prefix = $attach['post_msg_id'] . '_'; + } - // Forcing server vars is the only way to specify/override the protocol - if ($config['force_server_vars'] || !$server_name) - { - $server_name = $config['server_name']; + $compress->add_custom_file("{$phpbb_root_path}files/{$attach['physical_filename']}", "{$prefix}{$attach['real_filename']}"); + $files_added++; } - if (preg_match('#^.*?' . preg_quote($server_name, '#') . '.*?$#i', $hostname)) - { - $allowed = true; - } + $compress->close(); - // Get IP's and Hostnames - if (!$allowed) + if ($files_added) { - $sql = 'SELECT site_ip, site_hostname, ip_exclude - FROM ' . SITELIST_TABLE; - $result = $db->sql_query($sql); - - while ($row = $db->sql_fetchrow($result)) - { - $site_ip = trim($row['site_ip']); - $site_hostname = trim($row['site_hostname']); - - if ($site_ip) - { - foreach ($iplist as $ip) - { - if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_ip, '#')) . '$#i', $ip)) - { - if ($row['ip_exclude']) - { - $allowed = ($config['secure_allow_deny']) ? false : true; - break 2; - } - else - { - $allowed = ($config['secure_allow_deny']) ? true : false; - } - } - } - } - - if ($site_hostname) - { - if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_hostname, '#')) . '$#i', $hostname)) - { - if ($row['ip_exclude']) - { - $allowed = ($config['secure_allow_deny']) ? false : true; - break; - } - else - { - $allowed = ($config['secure_allow_deny']) ? true : false; - } - } - } - } - $db->sql_freeresult($result); + phpbb_increment_downloads($db, $attachment_ids); + $compress->download($store_name, $archive_name); } - return $allowed; -} + unlink($archive_path); -/** -* Check if the browser has the file already and set the appropriate headers- -* @returns false if a resend is in order. -*/ -function set_modified_headers($stamp, $browser) -{ - // let's see if we have to send the file at all - $last_load = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime(trim($_SERVER['HTTP_IF_MODIFIED_SINCE'])) : false; - if ((strpos(strtolower($browser), 'msie 6.0') === false) && (strpos(strtolower($browser), 'msie 8.0') === false)) + if (!$files_added) { - if ($last_load !== false && $last_load >= $stamp) - { - send_status_line(304, 'Not Modified'); - // seems that we need those too ... browsers - header('Pragma: public'); - header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000)); - return true; - } - else - { - header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $stamp) . ' GMT'); - } + // None of the attachments had a valid extension + $disallowed = implode($user->lang['COMMA_SEPARATOR'], $disallowed); + send_status_line(404, 'Forbidden'); + trigger_error($user->lang('EXTENSION_DISABLED_AFTER_POSTING', $disallowed)); } - return false; -} -function file_gc() -{ - global $cache, $db; - if (!empty($cache)) - { - $cache->unload(); - } - $db->sql_close(); - exit; + file_gc(); } - -?>
\ No newline at end of file |