search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
merge
[phpbb.git] / phpBB / download / file.php
blobf40f3cf09d7c3cbacd43518acb6c77269b791815
1 <?php
2 /**
3 *
4 * @package phpBB3
5 * @version $Id$
6 * @copyright (c) 2005 phpBB Group
7 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
8 *
9 */
10
11 /**
12 * @ignore
13 */
14 define('IN_PHPBB', true);
15 $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
16 $phpEx = substr(strrchr(__FILE__, '.'), 1);
17
18 if (isset($_GET['avatar']))
19 {
20 require($phpbb_root_path . 'config.' . $phpEx);
21
22 if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type))
23 {
24 exit;
25 }
26
27 require($phpbb_root_path . 'includes/acm/acm_' . $acm_type . '.' . $phpEx);
28 require($phpbb_root_path . 'includes/cache.' . $phpEx);
29 require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
30 require($phpbb_root_path . 'includes/constants.' . $phpEx);
31
32 $db = new $sql_db();
33 $cache = new acm();
34
35 // Connect to DB
36 if (!@$db->sql_connect($dbhost, $dbuser, $dbpasswd, $dbname, $dbport, false, false))
37 {
38 exit;
39 }
40 unset($dbpasswd);
41
42 // worst-case default
43 $browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0';
44
45 $config = cache::obtain_config();
46 $filename = $_GET['avatar'];
47 $avatar_group = false;
48 if ($filename[0] === 'g')
49 {
50 $avatar_group = true;
51 $filename = substr($filename, 1);
52 }
53
54 // '==' is not a bug - . as the first char is as bad as no dot at all
55 if (strpos($filename, '.') == false)
56 {
57 header('HTTP/1.0 403 forbidden');
58 if (!empty($cache))
59 {
60 $cache->unload();
61 }
62 $db->sql_close();
63 exit;
64 }
65
66 $ext = substr(strrchr($filename, '.'), 1);
67 $stamp = (int) substr(stristr($filename, '_'), 1);
68 $filename = (int) $filename;
69
70 // let's see if we have to send the file at all
71 $last_load = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime(trim($_SERVER['HTTP_IF_MODIFIED_SINCE'])) : false;
72 if (strpos(strtolower($browser), 'msie 6.0') === false)
73 {
74 if ($last_load !== false && $last_load <= $stamp)
75 {
76 if (@php_sapi_name() === 'CGI')
77 {
78 header('Status: 304 Not Modified', true, 304);
79 }
80 else
81 {
82 header('HTTP/1.0 304 Not Modified', true, 304);
83 }
84 // seems that we need those too ... browsers
85 header('Pragma: public');
86 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
87 exit();
88 }
89 else
90 {
91 header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $stamp) . ' GMT');
92 }
93 }
94
95 if (!in_array($ext, array('png', 'gif', 'jpg', 'jpeg')))
96 {
97 // no way such an avatar could exist. They are not following the rules, stop the show.
98 header("HTTP/1.0 403 forbidden");
99 if (!empty($cache))
100 {
101 $cache->unload();
102 }
103 $db->sql_close();
104 exit;
105 }
106
107 if (!$filename)
108 {
109 // no way such an avatar could exist. They are not following the rules, stop the show.
110 header("HTTP/1.0 403 forbidden");
111 if (!empty($cache))
112 {
113 $cache->unload();
114 }
115 $db->sql_close();
116 exit;
117 }
118
119 send_avatar_to_browser(($avatar_group ? 'g' : '') . $filename . '.' . $ext, $browser);
120
121 if (!empty($cache))
122 {
123 $cache->unload();
124 }
125 $db->sql_close();
126 exit;
127 }
128
129 // implicit else: we are not in avatar mode
130 include($phpbb_root_path . 'common.' . $phpEx);
131
132 $download_id = request_var('id', 0);
133 $mode = request_var('mode', '');
134 $thumbnail = request_var('t', false);
135
136 // Start session management, do not update session page.
137 $user->session_begin(false);
138 $auth->acl($user->data);
139 $user->setup('viewtopic');
140
141 if (!$download_id)
142 {
143 trigger_error('NO_ATTACHMENT_SELECTED');
144 }
145
146 if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
147 {
148 trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
149 }
150
151 $sql = 'SELECT attach_id, in_message, post_msg_id, extension, is_orphan, poster_id
152 FROM ' . ATTACHMENTS_TABLE . "
153 WHERE attach_id = $download_id";
154 $result = $db->sql_query_limit($sql, 1);
155 $attachment = $db->sql_fetchrow($result);
156 $db->sql_freeresult($result);
157
158 if (!$attachment)
159 {
160 trigger_error('ERROR_NO_ATTACHMENT');
161 }
162
163 if ((!$attachment['in_message'] && !$config['allow_attachments']) || ($attachment['in_message'] && !$config['allow_pm_attach']))
164 {
165 trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
166 }
167
168 $row = array();
169
170 if ($attachment['is_orphan'])
171 {
172 // We allow admins having attachment permissions to see orphan attachments...
173 $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;
174
175 if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))
176 {
177 trigger_error('ERROR_NO_ATTACHMENT');
178 }
179
180 // Obtain all extensions...
181 $extensions = cache::obtain_attach_extensions(true);
182 }
183 else
184 {
185 if (!$attachment['in_message'])
186 {
187 //
188 $sql = 'SELECT p.forum_id, f.forum_password, f.parent_id
189 FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f
190 WHERE p.post_id = ' . $attachment['post_msg_id'] . '
191 AND p.forum_id = f.forum_id';
192 $result = $db->sql_query_limit($sql, 1);
193 $row = $db->sql_fetchrow($result);
194 $db->sql_freeresult($result);
195
196 // Global announcement?
197 $f_download = (!$row) ? $auth->acl_getf_global('f_download') : $auth->acl_get('f_download', $row['forum_id']);
198
199 if ($auth->acl_get('u_download') && $f_download)
200 {
201 if ($row && $row['forum_password'])
202 {
203 // Do something else ... ?
204 login_forum_box($row);
205 }
206 }
207 else
208 {
209 trigger_error('SORRY_AUTH_VIEW_ATTACH');
210 }
211 }
212 else
213 {
214 $row['forum_id'] = false;
215 if (!$auth->acl_get('u_pm_download'))
216 {
217 header('HTTP/1.0 403 forbidden');
218 trigger_error('SORRY_AUTH_VIEW_ATTACH');
219 }
220
221 // Check if the attachment is within the users scope...
222 $sql = 'SELECT user_id, author_id
223 FROM ' . PRIVMSGS_TO_TABLE . '
224 WHERE msg_id = ' . $attachment['post_msg_id'];
225 $result = $db->sql_query($sql);
226
227 $allowed = false;
228 while ($user_row = $db->sql_fetchrow($result))
229 {
230 if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id'])
231 {
232 $allowed = true;
233 break;
234 }
235 }
236 $db->sql_freeresult($result);
237
238 if (!$allowed)
239 {
240 header('HTTP/1.0 403 forbidden');
241 trigger_error('ERROR_NO_ATTACHMENT');
242 }
243 }
244
245 // disallowed?
246 $extensions = array();
247 if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))
248 {
249 trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
250 }
251 }
252
253 if (!download_allowed())
254 {
255 header('HTTP/1.0 403 forbidden');
256 trigger_error($user->lang['LINKAGE_FORBIDDEN']);
257 }
258
259 $download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
260
261 // Fetching filename here to prevent sniffing of filename
262 $sql = 'SELECT attach_id, is_orphan, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype
263 FROM ' . ATTACHMENTS_TABLE . "
264 WHERE attach_id = $download_id";
265 $result = $db->sql_query_limit($sql, 1);
266 $attachment = $db->sql_fetchrow($result);
267 $db->sql_freeresult($result);
268
269 if (!$attachment)
270 {
271 trigger_error('ERROR_NO_ATTACHMENT');
272 }
273
274 $attachment['physical_filename'] = basename($attachment['physical_filename']);
275 $display_cat = $extensions[$attachment['extension']]['display_cat'];
276
277 if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))
278 {
279 $display_cat = ATTACHMENT_CATEGORY_NONE;
280 }
281
282 if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))
283 {
284 $display_cat = ATTACHMENT_CATEGORY_NONE;
285 }
286
287 if ($thumbnail)
288 {
289 $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
290 }
291 else if (($display_cat == ATTACHMENT_CATEGORY_NONE || $display_cat == ATTACHMENT_CATEGORY_IMAGE) && !$attachment['is_orphan'])
292 {
293 // Update download count
294 $sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
295 SET download_count = download_count + 1
296 WHERE attach_id = ' . $attachment['attach_id'];
297 $db->sql_query($sql);
298 }
299
300 if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && strpos(strtolower($user->browser), 'msie') !== false)
301 {
302 wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);
303 }
304 else
305 {
306 // Determine the 'presenting'-method
307 if ($download_mode == PHYSICAL_LINK)
308 {
309 // This presenting method should no longer be used
310 if (!@is_dir($phpbb_root_path . $config['upload_path']))
311 {
312 trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
313 }
314
315 redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);
316 exit;
317 }
318 else
319 {
320 send_file_to_browser($attachment, $config['upload_path'], $display_cat);
321 exit;
322 }
323 }
324
325
326 /**
327 * A simplified function to deliver avatars
328 * The argument needs to be checked before calling this function.
329 */
330 function send_avatar_to_browser($file, $browser)
331 {
332 global $config, $phpbb_root_path;
333
334 $prefix = $config['avatar_salt'] . '_';
335 $image_dir = $config['avatar_path'];
336
337 // Adjust image_dir path (no trailing slash)
338 if (substr($image_dir, -1, 1) == '/' || substr($image_dir, -1, 1) == '\\')
339 {
340 $image_dir = substr($image_dir, 0, -1) . '/';
341 }
342 $image_dir = str_replace(array('../', '..\\', './', '.\\'), '', $image_dir);
343
344 if ($image_dir && ($image_dir[0] == '/' || $image_dir[0] == '\\'))
345 {
346 $image_dir = '';
347 }
348 $file_path = $phpbb_root_path . $image_dir . '/' . $prefix . $file;
349
350 if ((@file_exists($file_path) && @is_readable($file_path)) && !headers_sent())
351 {
352 header('Pragma: public');
353
354 $image_data = @getimagesize($file_path);
355 header('Content-Type: ' . image_type_to_mime_type($image_data[2]));
356
357 if (strpos(strtolower($browser), 'msie') !== false)
358 {
359 header('Content-Disposition: attachment; ' . header_filename($file));
360
361 if (strpos(strtolower($browser), 'msie 6.0') !== false)
362 {
363 header('Expires: -1');
364 }
365 else
366 {
367 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
368 }
369 }
370 else
371 {
372 header('Content-Disposition: inline; ' . header_filename($file));
373 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
374 }
375
376 $size = @filesize($file_path);
377 if ($size)
378 {
379 header("Content-Length: $size");
380 }
381
382 if (@readfile($file_path) === false)
383 {
384 $fp = @fopen($file_path, 'rb');
385
386 if ($fp !== false)
387 {
388 while (!feof($fp))
389 {
390 echo fread($fp, 8192);
391 }
392 fclose($fp);
393 }
394 }
395
396 flush();
397 }
398 else
399 {
400 header('HTTP/1.0 404 not found');
401 }
402 }
403
404 /**
405 * Wraps an url into a simple html page. Used to display attachments in IE.
406 * this is a workaround for now; might be moved to template system later
407 * direct any complaints to 1 Microsoft Way, Redmond
408 */
409 function wrap_img_in_html($src, $title)
410 {
411 echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-Strict.dtd">';
412 echo '<html>';
413 echo '<head>';
414 echo '<meta http-equiv="content-type" content="text/html; charset=UTF-8" />';
415 echo '<title>' . $title . '</title>';
416 echo '</head>';
417 echo '<body>';
418 echo '<div>';
419 echo '<img src="' . $src . '" alt="' . $title . '" />';
420 echo '</div>';
421 echo '</body>';
422 echo '</html>';
423 }
424
425 /**
426 * Send file to browser
427 */
428 function send_file_to_browser($attachment, $upload_dir, $category)
429 {
430 global $user, $db, $config, $phpbb_root_path;
431
432 $filename = $phpbb_root_path . $upload_dir . '/' . $attachment['physical_filename'];
433
434 if (!@file_exists($filename))
435 {
436 trigger_error($user->lang['ERROR_NO_ATTACHMENT'] . '<br /><br />' . sprintf($user->lang['FILE_NOT_FOUND_404'], $filename));
437 }
438
439 // Correct the mime type - we force application/octetstream for all files, except images
440 // Please do not change this, it is a security precaution
441 if ($category != ATTACHMENT_CATEGORY_IMAGE || strpos($attachment['mimetype'], 'image') !== 0)
442 {
443 $attachment['mimetype'] = (strpos(strtolower($user->browser), 'msie') !== false || strpos(strtolower($user->browser), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream';
444 }
445
446 if (@ob_get_length())
447 {
448 @ob_end_clean();
449 }
450
451 // Now send the File Contents to the Browser
452 $size = @filesize($filename);
453
454 // To correctly display further errors we need to make sure we are using the correct headers for both (unsetting content-length may not work)
455
456 // Check if headers already sent or not able to get the file contents.
457 if (headers_sent() || !@file_exists($filename) || !@is_readable($filename))
458 {
459 // PHP track_errors setting On?
460 if (!empty($php_errormsg))
461 {
462 trigger_error($user->lang['UNABLE_TO_DELIVER_FILE'] . '<br />' . sprintf($user->lang['TRACKED_PHP_ERROR'], $php_errormsg));
463 }
464
465 trigger_error('UNABLE_TO_DELIVER_FILE');
466 }
467
468 // Now the tricky part... let's dance
469 header('Pragma: public');
470
471 /**
472 * Commented out X-Sendfile support. To not expose the physical filename within the header if xsendfile is absent we need to look into methods of checking it's status.
473 *
474 * Try X-Sendfile since it is much more server friendly - only works if the path is *not* outside of the root path...
475 * lighttpd has core support for it. An apache2 module is available at http://celebnamer.celebworld.ws/stuff/mod_xsendfile/
476 *
477 * Not really ideal, but should work fine...
478 * <code>
479 * if (strpos($upload_dir, '/') !== 0 && strpos($upload_dir, '../') === false)
480 * {
481 * header('X-Sendfile: ' . $filename);
482 * }
483 * </code>
484 */
485
486 // Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
487 header('Content-Type: ' . $attachment['mimetype']);
488
489 if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
490 {
491 header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
492 if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
493 {
494 header('expires: -1');
495 }
496 }
497 else
498 {
499 header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
500 }
501
502 if ($size)
503 {
504 header("Content-Length: $size");
505 }
506
507 // Try to deliver in chunks
508 @set_time_limit(0);
509
510 $fp = @fopen($filename, 'rb');
511
512 if ($fp !== false)
513 {
514 while (!feof($fp))
515 {
516 echo fread($fp, 8192);
517 }
518 fclose($fp);
519 }
520 else
521 {
522 @readfile($filename);
523 }
524
525 flush();
526 exit;
527 }
528
529 /**
530 * Get a browser friendly UTF-8 encoded filename
531 */
532 function header_filename($file)
533 {
534 $user_agent = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
535
536 // There be dragons here.
537 // Not many follows the RFC...
538 if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Safari') !== false || strpos($user_agent, 'Konqueror') !== false)
539 {
540 return "filename=" . rawurlencode($file);
541 }
542
543 // follow the RFC for extended filename for the rest
544 return "filename*=UTF-8''" . rawurlencode($file);
545 }
546
547 /**
548 * Check if downloading item is allowed
549 */
550 function download_allowed()
551 {
552 global $config, $user, $db;
553
554 if (!$config['secure_downloads'])
555 {
556 return true;
557 }
558
559 $url = (!empty($_SERVER['HTTP_REFERER'])) ? trim($_SERVER['HTTP_REFERER']) : trim(getenv('HTTP_REFERER'));
560
561 if (!$url)
562 {
563 return ($config['secure_allow_empty_referer']) ? true : false;
564 }
565
566 // Split URL into domain and script part
567 $url = @parse_url($url);
568
569 if ($url === false)
570 {
571 return ($config['secure_allow_empty_referer']) ? true : false;
572 }
573
574 $hostname = $url['host'];
575 unset($url);
576
577 $allowed = ($config['secure_allow_deny']) ? false : true;
578 $iplist = array();
579
580 if (($ip_ary = @gethostbynamel($hostname)) !== false)
581 {
582 foreach ($ip_ary as $ip)
583 {
584 if ($ip)
585 {
586 $iplist[] = $ip;
587 }
588 }
589 }
590
591 // Check for own server...
592 $server_name = $user->host;
593
594 // Forcing server vars is the only way to specify/override the protocol
595 if ($config['force_server_vars'] || !$server_name)
596 {
597 $server_name = $config['server_name'];
598 }
599
600 if (preg_match('#^.*?' . preg_quote($server_name, '#') . '.*?$#i', $hostname))
601 {
602 $allowed = true;
603 }
604
605 // Get IP's and Hostnames
606 if (!$allowed)
607 {
608 $sql = 'SELECT site_ip, site_hostname, ip_exclude
609 FROM ' . SITELIST_TABLE;
610 $result = $db->sql_query($sql);
611
612 while ($row = $db->sql_fetchrow($result))
613 {
614 $site_ip = trim($row['site_ip']);
615 $site_hostname = trim($row['site_hostname']);
616
617 if ($site_ip)
618 {
619 foreach ($iplist as $ip)
620 {
621 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_ip, '#')) . '$#i', $ip))
622 {
623 if ($row['ip_exclude'])
624 {
625 $allowed = ($config['secure_allow_deny']) ? false : true;
626 break 2;
627 }
628 else
629 {
630 $allowed = ($config['secure_allow_deny']) ? true : false;
631 }
632 }
633 }
634 }
635
636 if ($site_hostname)
637 {
638 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_hostname, '#')) . '$#i', $hostname))
639 {
640 if ($row['ip_exclude'])
641 {
642 $allowed = ($config['secure_allow_deny']) ? false : true;
643 break;
644 }
645 else
646 {
647 $allowed = ($config['secure_allow_deny']) ? true : false;
648 }
649 }
650 }
651 }
652 $db->sql_freeresult($result);
653 }
654
655 return $allowed;
656 }
657
658 ?>
phpbb is a php-based BBS (buletin board system)