aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB
diff options
context:
space:
mode:
Diffstat (limited to 'phpBB')
-rw-r--r--phpBB/download/file.php100
-rw-r--r--phpBB/includes/functions_download.php24
-rw-r--r--phpBB/includes/ucp/ucp_pm_viewmessage.php2
-rw-r--r--phpBB/viewtopic.php2
4 files changed, 93 insertions, 35 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php
index 7d39ee4821..163ab673b9 100644
--- a/phpBB/download/file.php
+++ b/phpBB/download/file.php
@@ -144,7 +144,8 @@ require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
$download_id = request_var('id', 0);
$topic_id = $request->variable('topic_id', 0);
-$post_msg_id = $request->variable('post_msg_id', 0);
+$post_id = $request->variable('post_id', 0);
+$msg_id = $request->variable('msg_id', 0);
$archive = $request->variable('archive', '.tar');
$mode = request_var('mode', '');
$thumbnail = request_var('t', false);
@@ -163,17 +164,22 @@ if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
if ($download_id)
{
// Attachment id (only 1 attachment)
- $sql_where = "attach_id = $download_id";
+ $sql_where = 'attach_id = ' . $download_id;
}
-else if ($post_msg_id)
+else if ($msg_id)
{
- // Post id or private message id (multiple attachments)
- $sql_where = "post_msg_id = $post_msg_id AND is_orphan = 0";
+ // Private message id (multiple attachments)
+ $sql_where = 'is_orphan = 0 AND in_message = 1 AND post_msg_id = ' . $msg_id;
+}
+else if ($post_id)
+{
+ // Post id (multiple attachments)
+ $sql_where = 'is_orphan = 0 AND in_message = 0 AND post_msg_id = ' . $post_id;
}
else if ($topic_id)
{
// Topic id (multiple attachments)
- $sql_where = "topic_id = $topic_id AND is_orphan = 0";
+ $sql_where = 'is_orphan = 0 AND topic_id = ' . $topic_id;
}
else
{
@@ -240,6 +246,20 @@ else if ($download_id)
if (!$attachment['in_message'])
{
phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']);
+
+ $sql = 'SELECT forum_id, post_visibility
+ FROM ' . POSTS_TABLE . '
+ WHERE post_id = ' . (int) $attachment['post_msg_id'];
+ $result = $db->sql_query($sql);
+ $post_row = $db->sql_fetchrow($result);
+ $db->sql_freeresult($result);
+
+ if (!$post_row || ($post_row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $post_row['forum_id'])))
+ {
+ // Attachment of a soft deleted post and the user is not allowed to see the post
+ send_status_line(404, 'Not Found');
+ trigger_error('ERROR_NO_ATTACHMENT');
+ }
}
else
{
@@ -251,7 +271,7 @@ else if ($download_id)
$extensions = array();
if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))
{
- send_status_line(404, 'Forbidden');
+ send_status_line(403, 'Forbidden');
trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
}
}
@@ -328,23 +348,32 @@ else
$archive = '.tar';
}
- if ($post_msg_id)
+ $post_visibility = array();
+ if ($msg_id)
{
- if ($attachment['in_message'])
- {
- $sql = 'SELECT message_subject AS attach_subject
- FROM ' . PRIVMSGS_TABLE . "
- WHERE msg_id = $post_msg_id";
- }
- else
- {
- $sql = 'SELECT post_subject AS attach_subject, forum_id
- FROM ' . POSTS_TABLE . "
- WHERE post_id = $post_msg_id";
- }
+ $sql = 'SELECT message_subject AS attach_subject
+ FROM ' . PRIVMSGS_TABLE . "
+ WHERE msg_id = $msg_id";
+ }
+ else if ($post_id)
+ {
+ $sql = 'SELECT post_subject AS attach_subject, forum_id, post_visibility
+ FROM ' . POSTS_TABLE . "
+ WHERE post_id = $post_id";
}
else
{
+ $sql = 'SELECT post_id, post_visibility
+ FROM ' . POSTS_TABLE . "
+ WHERE topic_id = $topic_id
+ AND post_attachment = 1";
+ $result = $db->sql_query($sql);
+ while ($row = $db->sql_fetchrow($result))
+ {
+ $post_visibility[(int) $row['post_id']] = (int) $row['post_visibility'];
+ }
+ $db->sql_freeresult($result);
+
$sql = 'SELECT topic_title AS attach_subject, forum_id
FROM ' . TOPICS_TABLE . "
WHERE topic_id = $topic_id";
@@ -361,7 +390,7 @@ else
}
$clean_name = phpbb_download_clean_filename($row['attach_subject']);
- $suffix = '_' . (($post_msg_id) ? $post_msg_id : $topic_id) . '_' . $clean_name;
+ $suffix = '_' . (($msg_id) ? 'm' . $msg_id : (($post_id) ? 'p' . $post_id : 't' . $topic_id)) . '_' . $clean_name;
$archive_name = 'attachments' . $suffix;
$store_name = 'att_' . time() . '_' . unique_id();
@@ -379,13 +408,25 @@ else
$extensions = array();
$files_added = 0;
$forum_id = ($attachment['in_message']) ? false : (int) $row['forum_id'];
- $disallowed = array();
+ $disallowed_extension = array();
foreach ($attachments as $attach)
{
if (!extension_allowed($forum_id, $attach['extension'], $extensions))
{
- $disallowed[$attach['extension']] = $attach['extension'];
+ $disallowed_extension[$attach['extension']] = $attach['extension'];
+ continue;
+ }
+
+ if ($post_id && $row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $forum_id))
+ {
+ // Attachment of a soft deleted post and the user is not allowed to see the post
+ continue;
+ }
+
+ if ($topic_id && (!isset($post_visibility[$attach['post_msg_id']]) || $post_visibility[$attach['post_msg_id']] != ITEM_APPROVED) && !$auth->acl_get('m_approve', $forum_id))
+ {
+ // Attachment of a soft deleted post and the user is not allowed to see the post
continue;
}
@@ -409,12 +450,17 @@ else
unlink($archive_path);
- if (!$files_added)
+ if (!$files_added && !empty($disallowed_extension))
{
// None of the attachments had a valid extension
- $disallowed = implode($user->lang['COMMA_SEPARATOR'], $disallowed);
- send_status_line(404, 'Forbidden');
- trigger_error($user->lang('EXTENSION_DISABLED_AFTER_POSTING', $disallowed));
+ $disallowed_extension = implode($user->lang['COMMA_SEPARATOR'], $disallowed_extension);
+ send_status_line(403, 'Forbidden');
+ trigger_error($user->lang('EXTENSION_DISABLED_AFTER_POSTING', $disallowed_extension));
+ }
+ else if (!$files_added)
+ {
+ send_status_line(404, 'Not Found');
+ trigger_error('ERROR_NO_ATTACHMENT');
}
file_gc();
diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php
index e7a1d2bff5..c895f7b54b 100644
--- a/phpBB/includes/functions_download.php
+++ b/phpBB/includes/functions_download.php
@@ -625,17 +625,29 @@ function phpbb_increment_downloads($db, $ids)
*/
function phpbb_download_handle_forum_auth($db, $auth, $topic_id)
{
- $sql = 'SELECT t.forum_id, f.forum_name, f.forum_password, f.parent_id
- FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f
- WHERE t.topic_id = " . (int) $topic_id . "
- AND t.forum_id = f.forum_id";
+ $sql_array = array(
+ 'SELECT' => 't.topic_visibility, t.forum_id, f.forum_name, f.forum_password, f.parent_id',
+ 'FROM' => array(
+ TOPICS_TABLE => 't',
+ FORUMS_TABLE => 'f',
+ ),
+ 'WHERE' => 't.topic_id = ' . (int) $topic_id . '
+ AND t.forum_id = f.forum_id',
+ );
+
+ $sql = $db->sql_build_query('SELECT', $sql_array);
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
- if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))
+ if ($row && $row['topic_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $row['forum_id']))
{
- if ($row && $row['forum_password'])
+ send_status_line(404, 'Not Found');
+ trigger_error('ERROR_NO_ATTACHMENT');
+ }
+ else if ($row && $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))
+ {
+ if ($row['forum_password'])
{
// Do something else ... ?
login_forum_box($row);
diff --git a/phpBB/includes/ucp/ucp_pm_viewmessage.php b/phpBB/includes/ucp/ucp_pm_viewmessage.php
index f9e8e3155e..e513b8ade2 100644
--- a/phpBB/includes/ucp/ucp_pm_viewmessage.php
+++ b/phpBB/includes/ucp/ucp_pm_viewmessage.php
@@ -274,7 +274,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
// Display not already displayed Attachments for this post, we already parsed them. ;)
if (isset($attachments) && sizeof($attachments))
{
- $methods = phpbb_gen_download_links('post_msg_id', $msg_id, $phpbb_root_path, $phpEx);
+ $methods = phpbb_gen_download_links('msg_id', $msg_id, $phpbb_root_path, $phpEx);
foreach ($methods as $method)
{
$template->assign_block_vars('dl_method', $method);
diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php
index 86ef331ac0..e02052a14d 100644
--- a/phpBB/viewtopic.php
+++ b/phpBB/viewtopic.php
@@ -1736,7 +1736,7 @@ for ($i = 0, $end = sizeof($post_list); $i < $end; ++$i)
);
}
- $methods = phpbb_gen_download_links('post_msg_id', $row['post_id'], $phpbb_root_path, $phpEx);
+ $methods = phpbb_gen_download_links('post_id', $row['post_id'], $phpbb_root_path, $phpEx);
foreach ($methods as $method)
{
$template->assign_block_vars('postrow.dl_method', $method);
generated by cgit v1.2.1 (git 2.21.0) at 2025-08-01 04:09:40 +0000