search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
$auth-> to phpbb::$acl->
[phpbb.git] / phpBB / download / file.php
blob676befc15906224af9dddb8c40dba97592ba9e98
1 <?php
2 /**
3 *
4 * @package phpBB3
5 * @version $Id$
6 * @copyright (c) 2005 phpBB Group
7 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
8 *
9 */
10
11 /**
12 * @ignore
13 */
14 define('IN_PHPBB', true);
15 if (!defined('PHPBB_ROOT_PATH')) define('PHPBB_ROOT_PATH', './../');
16 if (!defined('PHP_EXT')) define('PHP_EXT', substr(strrchr(__FILE__, '.'), 1));
17 include(PHPBB_ROOT_PATH . 'includes/core/bootstrap.' . PHP_EXT);
18
19 // Thank you sun.
20 if (isset($_SERVER['CONTENT_TYPE']))
21 {
22 if ($_SERVER['CONTENT_TYPE'] === 'application/x-java-archive')
23 {
24 exit;
25 }
26 }
27 else if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'Java') !== false)
28 {
29 exit;
30 }
31
32 if (phpbb_request::is_set('avatar', phpbb_request::GET))
33 {
34 // worst-case default
35 $browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0';
36
37 phpbb::$config = phpbb_cache::obtain_config();
38 $filename = phpbb_request::variable('avatar', '', false, phpbb_request::GET);
39 $avatar_group = false;
40 $exit = false;
41
42 if ($filename[0] === 'g')
43 {
44 $avatar_group = true;
45 $filename = substr($filename, 1);
46 }
47
48 // '==' is not a bug - . as the first char is as bad as no dot at all
49 if (strpos($filename, '.') == false)
50 {
51 header('HTTP/1.0 403 forbidden');
52 $exit = true;
53 }
54
55 if (!$exit)
56 {
57 $ext = substr(strrchr($filename, '.'), 1);
58 $stamp = (int) substr(stristr($filename, '_'), 1);
59 $filename = (int) $filename;
60 $exit = set_modified_headers($stamp, $browser);
61 }
62 if (!$exit && !in_array($ext, array('png', 'gif', 'jpg', 'jpeg')))
63 {
64 // no way such an avatar could exist. They are not following the rules, stop the show.
65 header("HTTP/1.0 403 Forbidden");
66 $exit = true;
67 }
68
69
70 if (!$exit)
71 {
72 if (!$filename)
73 {
74 // no way such an avatar could exist. They are not following the rules, stop the show.
75 header("HTTP/1.0 403 Forbidden");
76 }
77 else
78 {
79 send_avatar_to_browser(($avatar_group ? 'g' : '') . $filename . '.' . $ext, $browser);
80 }
81 }
82 file_gc();
83 }
84
85 // implicit else: we are not in avatar mode
86 $download_id = request_var('id', 0);
87 $mode = request_var('mode', '');
88 $thumbnail = request_var('t', false);
89
90 // Start session management, do not update session page.
91 phpbb::$user->session_begin(false);
92 phpbb::$acl->init(phpbb::$user->data);
93 phpbb::$user->setup('viewtopic');
94
95 if (!$download_id)
96 {
97 trigger_error('NO_ATTACHMENT_SELECTED');
98 }
99
100 if (!phpbb::$config['allow_attachments'] && !phpbb::$config['allow_pm_attach'])
101 {
102 trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
103 }
104
105 $sql = 'SELECT attach_id, in_message, post_msg_id, extension, is_orphan, poster_id, filetime
106 FROM ' . ATTACHMENTS_TABLE . "
107 WHERE attach_id = $download_id";
108 $result = $db->sql_query_limit($sql, 1);
109 $attachment = $db->sql_fetchrow($result);
110 phpbb::$db->sql_freeresult($result);
111
112 if (!$attachment)
113 {
114 trigger_error('ERROR_NO_ATTACHMENT');
115 }
116
117 if ((!$attachment['in_message'] && !phpbb::$config['allow_attachments']) || ($attachment['in_message'] && !phpbb::$config['allow_pm_attach']))
118 {
119 trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
120 }
121
122 $row = array();
123
124 if ($attachment['is_orphan'])
125 {
126 // We allow admins having attachment permissions to see orphan attachments...
127 $own_attachment = (phpbb::$acl->acl_get('a_attach') || $attachment['poster_id'] == phpbb::$user->data['user_id']) ? true : false;
128
129 if (!$own_attachment || ($attachment['in_message'] && !phpbb::$acl->acl_get('u_pm_download')) || (!$attachment['in_message'] && !phpbb::$acl->acl_get('u_download')))
130 {
131 trigger_error('ERROR_NO_ATTACHMENT');
132 }
133
134 // Obtain all extensions...
135 $extensions = phpbb_cache::obtain_extensions();
136 }
137 else
138 {
139 if (!$attachment['in_message'])
140 {
141 //
142 $sql = 'SELECT p.forum_id, f.forum_password, f.parent_id
143 FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f
144 WHERE p.post_id = ' . $attachment['post_msg_id'] . '
145 AND p.forum_id = f.forum_id';
146 $result = $db->sql_query_limit($sql, 1);
147 $row = $db->sql_fetchrow($result);
148 $db->sql_freeresult($result);
149
150 // Global announcement?
151 $f_download = (!$row) ? phpbb::$acl->acl_getf_global('f_download') : phpbb::$acl->acl_get('f_download', $row['forum_id']);
152
153 if (phpbb::$acl->acl_get('u_download') && $f_download)
154 {
155 if ($row && $row['forum_password'])
156 {
157 // Do something else ... ?
158 login_forum_box($row);
159 }
160 }
161 else
162 {
163 trigger_error('SORRY_AUTH_VIEW_ATTACH');
164 }
165 }
166 else
167 {
168 $row['forum_id'] = false;
169 if (!phpbb::$acl->acl_get('u_pm_download'))
170 {
171 header('HTTP/1.0 403 forbidden');
172 trigger_error('SORRY_AUTH_VIEW_ATTACH');
173 }
174
175 // Check if the attachment is within the users scope...
176 $sql = 'SELECT user_id, author_id
177 FROM ' . PRIVMSGS_TO_TABLE . '
178 WHERE msg_id = ' . $attachment['post_msg_id'];
179 $result = $db->sql_query($sql);
180
181 $allowed = false;
182 while ($user_row = $db->sql_fetchrow($result))
183 {
184 if (phpbb::$user->data['user_id'] == $user_row['user_id'] || phpbb::$user->data['user_id'] == $user_row['author_id'])
185 {
186 $allowed = true;
187 break;
188 }
189 }
190 $db->sql_freeresult($result);
191
192 if (!$allowed)
193 {
194 header('HTTP/1.0 403 forbidden');
195 trigger_error('ERROR_NO_ATTACHMENT');
196 }
197 }
198
199 // disallowed?
200 $extensions = array();
201 if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))
202 {
203 trigger_error(sprintf(phpbb::$user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
204 }
205 }
206
207 if (!download_allowed())
208 {
209 header('HTTP/1.0 403 forbidden');
210 trigger_error(phpbb::$user->lang['LINKAGE_FORBIDDEN']);
211 }
212
213 $download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
214
215 // Fetching filename here to prevent sniffing of filename
216 $sql = 'SELECT attach_id, is_orphan, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype, filetime
217 FROM ' . ATTACHMENTS_TABLE . "
218 WHERE attach_id = $download_id";
219 $result = $db->sql_query_limit($sql, 1);
220 $attachment = $db->sql_fetchrow($result);
221 phpbb::$db->sql_freeresult($result);
222
223 if (!$attachment)
224 {
225 trigger_error('ERROR_NO_ATTACHMENT');
226 }
227
228 $attachment['physical_filename'] = basename($attachment['physical_filename']);
229 $display_cat = $extensions[$attachment['extension']]['display_cat'];
230
231 if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !phpbb::$user->optionget('viewimg'))
232 {
233 $display_cat = ATTACHMENT_CATEGORY_NONE;
234 }
235
236 if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !phpbb::$user->optionget('viewflash'))
237 {
238 $display_cat = ATTACHMENT_CATEGORY_NONE;
239 }
240
241 if ($thumbnail)
242 {
243 $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
244 }
245 else if (($display_cat == ATTACHMENT_CATEGORY_NONE || $display_cat == ATTACHMENT_CATEGORY_IMAGE) && !$attachment['is_orphan'])
246 {
247 // Update download count
248 $sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
249 SET download_count = download_count + 1
250 WHERE attach_id = ' . $attachment['attach_id'];
251 $db->sql_query($sql);
252 }
253
254 if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && ((strpos(strtolower(phpbb::$user->system['browser']), 'msie') !== false) && (strpos(strtolower(phpbb::$user->system['browser']), 'msie 8.0') === false)))
255 {
256 wrap_img_in_html(append_sid('download/file', 'id=' . $attachment['attach_id']), $attachment['real_filename']);
257 }
258 else
259 {
260 // Determine the 'presenting'-method
261 if ($download_mode == PHYSICAL_LINK)
262 {
263 // This presenting method should no longer be used
264 if (!@is_dir(PHPBB_ROOT_PATH . phpbb::$config['upload_path']))
265 {
266 trigger_error(phpbb::$user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
267 }
268
269 redirect(PHPBB_ROOT_PATH . phpbb::$config['upload_path'] . '/' . $attachment['physical_filename']);
270 file_gc();
271 }
272 else
273 {
274 send_file_to_browser($attachment, phpbb::$config['upload_path'], $display_cat);
275 file_gc();
276 }
277 }
278
279
280 /**
281 * A simplified function to deliver avatars
282 * The argument needs to be checked before calling this function.
283 */
284 function send_avatar_to_browser($file, $browser)
285 {
286 $prefix = phpbb::$config['avatar_salt'] . '_';
287 $image_dir = phpbb::$config['avatar_path'];
288
289 // Adjust image_dir path (no trailing slash)
290 if (substr($image_dir, -1, 1) == '/' || substr($image_dir, -1, 1) == '\\')
291 {
292 $image_dir = substr($image_dir, 0, -1) . '/';
293 }
294 $image_dir = str_replace(array('../', '..\\', './', '.\\'), '', $image_dir);
295
296 if ($image_dir && ($image_dir[0] == '/' || $image_dir[0] == '\\'))
297 {
298 $image_dir = '';
299 }
300 $file_path = PHPBB_ROOT_PATH . $image_dir . '/' . $prefix . $file;
301
302 if ((@file_exists($file_path) && @is_readable($file_path)) && !headers_sent())
303 {
304 header('Pragma: public');
305
306 $image_data = @getimagesize($file_path);
307 header('Content-Type: ' . image_type_to_mime_type($image_data[2]));
308
309 if (strpos(strtolower($browser), 'msie') !== false && strpos(strtolower($browser), 'msie 8.0') === false)
310 {
311 header('Content-Disposition: attachment; ' . header_filename($file));
312
313 if (strpos(strtolower($browser), 'msie 6.0') !== false)
314 {
315 header('Expires: -1');
316 }
317 else
318 {
319 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
320 }
321 }
322 else
323 {
324 header('Content-Disposition: inline; ' . header_filename($file));
325 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
326 }
327
328 $size = @filesize($file_path);
329 if ($size)
330 {
331 header("Content-Length: $size");
332 }
333
334 if (@readfile($file_path) == false)
335 {
336 $fp = @fopen($file_path, 'rb');
337
338 if ($fp !== false)
339 {
340 while (!feof($fp))
341 {
342 echo fread($fp, 8192);
343 }
344 fclose($fp);
345 }
346 }
347
348 flush();
349 }
350 else
351 {
352 header('HTTP/1.0 404 not found');
353 }
354 }
355
356 /**
357 * Wraps an url into a simple html page. Used to display attachments in IE.
358 * this is a workaround for now; might be moved to template system later
359 * direct any complaints to 1 Microsoft Way, Redmond
360 */
361 function wrap_img_in_html($src, $title)
362 {
363 echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-Strict.dtd">';
364 echo '<html>';
365 echo '<head>';
366 echo '<meta http-equiv="content-type" content="text/html; charset=UTF-8" />';
367 echo '<title>' . $title . '</title>';
368 echo '</head>';
369 echo '<body>';
370 echo '<div>';
371 echo '<img src="' . $src . '" alt="' . $title . '" />';
372 echo '</div>';
373 echo '</body>';
374 echo '</html>';
375 }
376
377 /**
378 * Send file to browser
379 */
380 function send_file_to_browser($attachment, $upload_dir, $category)
381 {
382 $filename = PHPBB_ROOT_PATH . $upload_dir . '/' . $attachment['physical_filename'];
383
384 if (!@file_exists($filename))
385 {
386 trigger_error(phpbb::$user->lang['ERROR_NO_ATTACHMENT'] . '<br /><br />' . sprintf(phpbb::$user->lang['FILE_NOT_FOUND_404'], $filename));
387 }
388
389 // Correct the mime type - we force application/octetstream for all files, except images
390 // Please do not change this, it is a security precaution
391 if ($category != ATTACHMENT_CATEGORY_IMAGE || strpos($attachment['mimetype'], 'image') !== 0)
392 {
393 $attachment['mimetype'] = (strpos(strtolower(phpbb::$user->system['browser']), 'msie') !== false || strpos(strtolower(phpbb::$user->system['browser']), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream';
394 }
395
396 if (@ob_get_length())
397 {
398 @ob_end_clean();
399 }
400
401 // Now send the File Contents to the Browser
402 $size = @filesize($filename);
403
404 // To correctly display further errors we need to make sure we are using the correct headers for both (unsetting content-length may not work)
405
406 // Check if headers already sent or not able to get the file contents.
407 if (headers_sent() || !@file_exists($filename) || !@is_readable($filename))
408 {
409 // PHP track_errors setting On?
410 if (!empty($php_errormsg))
411 {
412 trigger_error(phpbb::$user->lang['UNABLE_TO_DELIVER_FILE'] . '<br />' . sprintf(phpbb::$user->lang['TRACKED_PHP_ERROR'], $php_errormsg));
413 }
414
415 trigger_error('UNABLE_TO_DELIVER_FILE');
416 }
417
418 // Now the tricky part... let's dance
419 header('Pragma: public');
420
421 /**
422 * Commented out X-Sendfile support. To not expose the physical filename within the header if xsendfile is absent we need to look into methods of checking it's status.
423 *
424 * Try X-Sendfile since it is much more server friendly - only works if the path is *not* outside of the root path...
425 * lighttpd has core support for it. An apache2 module is available at http://celebnamer.celebworld.ws/stuff/mod_xsendfile/
426 *
427 * Not really ideal, but should work fine...
428 * <code>
429 * if (strpos($upload_dir, '/') !== 0 && strpos($upload_dir, '../') === false)
430 * {
431 * header('X-Sendfile: ' . $filename);
432 * }
433 * </code>
434 */
435
436 // Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
437 $is_ie8 = (strpos(strtolower(phpbb::$user->system['browser']), 'msie 8.0') !== false);
438 header('Content-Type: ' . $attachment['mimetype'] . (($is_ie8) ? '; authoritative=true;' : ''));
439
440 if (empty(phpbb::$user->system['browser']) || (!$is_ie8 && (strpos(strtolower(phpbb::$user->system['browser']), 'msie') !== false)))
441 {
442 header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
443 if (empty(phpbb::$user->system['browser']) || (strpos(strtolower(phpbb::$user->system['browser']), 'msie 6.0') !== false))
444 {
445 header('expires: -1');
446 }
447 }
448 else
449 {
450 header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
451 if ($is_ie8 && (strpos($attachment['mimetype'], 'image') !== 0))
452 {
453 header('X-Download-Options: noopen');
454 }
455 }
456
457 if ($size)
458 {
459 header("Content-Length: $size");
460 }
461
462 // Close the db connection before sending the file
463 $db->sql_close();
464
465 if (!set_modified_headers($attachment['filetime'], phpbb::$user->system['browser']))
466 {
467 // Try to deliver in chunks
468 @set_time_limit(0);
469
470 $fp = @fopen($filename, 'rb');
471
472 if ($fp !== false)
473 {
474 while (!feof($fp))
475 {
476 echo fread($fp, 8192);
477 }
478 fclose($fp);
479 }
480 else
481 {
482 @readfile($filename);
483 }
484
485 flush();
486 }
487 file_gc();
488 }
489
490 /**
491 * Get a browser friendly UTF-8 encoded filename
492 */
493 function header_filename($file)
494 {
495 $user_agent = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
496
497 // There be dragons here.
498 // Not many follows the RFC...
499 if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Safari') !== false || strpos($user_agent, 'Konqueror') !== false)
500 {
501 return "filename=" . rawurlencode($file);
502 }
503
504 // follow the RFC for extended filename for the rest
505 return "filename*=UTF-8''" . rawurlencode($file);
506 }
507
508 /**
509 * Check if downloading item is allowed
510 */
511 function download_allowed()
512 {
513 if (!phpbb::$config['secure_downloads'])
514 {
515 return true;
516 }
517
518 $url = (!empty($_SERVER['HTTP_REFERER'])) ? trim($_SERVER['HTTP_REFERER']) : trim(getenv('HTTP_REFERER'));
519
520 if (!$url)
521 {
522 return (phpbb::$config['secure_allow_empty_referer']) ? true : false;
523 }
524
525 // Split URL into domain and script part
526 $url = @parse_url($url);
527
528 if ($url === false)
529 {
530 return (phpbb::$config['secure_allow_empty_referer']) ? true : false;
531 }
532
533 $hostname = $url['host'];
534 unset($url);
535
536 $allowed = (phpbb::$config['secure_allow_deny']) ? false : true;
537 $iplist = array();
538
539 if (($ip_ary = @gethostbynamel($hostname)) !== false)
540 {
541 foreach ($ip_ary as $ip)
542 {
543 if ($ip)
544 {
545 $iplist[] = $ip;
546 }
547 }
548 }
549
550 // Check for own server...
551 $server_name = phpbb::$user->system['host'];
552
553 // Forcing server vars is the only way to specify/override the protocol
554 if (phpbb::$config['force_server_vars'] || !$server_name)
555 {
556 $server_name = phpbb::$config['server_name'];
557 }
558
559 if (preg_match('#^.*?' . preg_quote($server_name, '#') . '.*?$#i', $hostname))
560 {
561 $allowed = true;
562 }
563
564 // Get IP's and Hostnames
565 if (!$allowed)
566 {
567 $sql = 'SELECT site_ip, site_hostname, ip_exclude
568 FROM ' . SITELIST_TABLE;
569 $result = $db->sql_query($sql);
570
571 while ($row = $db->sql_fetchrow($result))
572 {
573 $site_ip = trim($row['site_ip']);
574 $site_hostname = trim($row['site_hostname']);
575
576 if ($site_ip)
577 {
578 foreach ($iplist as $ip)
579 {
580 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_ip, '#')) . '$#i', $ip))
581 {
582 if ($row['ip_exclude'])
583 {
584 $allowed = (phpbb::$config['secure_allow_deny']) ? false : true;
585 break 2;
586 }
587 else
588 {
589 $allowed = (phpbb::$config['secure_allow_deny']) ? true : false;
590 }
591 }
592 }
593 }
594
595 if ($site_hostname)
596 {
597 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_hostname, '#')) . '$#i', $hostname))
598 {
599 if ($row['ip_exclude'])
600 {
601 $allowed = (phpbb::$config['secure_allow_deny']) ? false : true;
602 break;
603 }
604 else
605 {
606 $allowed = (phpbb::$config['secure_allow_deny']) ? true : false;
607 }
608 }
609 }
610 }
611 $db->sql_freeresult($result);
612 }
613
614 return $allowed;
615 }
616
617 /**
618 * Check if the browser has the file already and set the appropriate headers-
619 * @returns false if a resend is in order.
620 */
621 function set_modified_headers($stamp, $browser)
622 {
623 // let's see if we have to send the file at all
624 $last_load = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime(trim($_SERVER['HTTP_IF_MODIFIED_SINCE'])) : false;
625 if ((strpos(strtolower($browser), 'msie 6.0') === false) && (strpos(strtolower($browser), 'msie 8.0') === false))
626 {
627 if ($last_load !== false && $last_load <= $stamp)
628 {
629 if (@php_sapi_name() === 'CGI')
630 {
631 header('Status: 304 Not Modified', true, 304);
632 }
633 else
634 {
635 header('HTTP/1.0 304 Not Modified', true, 304);
636 }
637 // seems that we need those too ... browsers
638 header('Pragma: public');
639 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
640 return true;
641 }
642 else
643 {
644 header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $stamp) . ' GMT');
645 }
646 }
647 return false;
648 }
649
650 function file_gc()
651 {
652 if (phpbb::registered('acm'))
653 {
654 phpbb::$acm->unload();
655 }
656
657 if (phpbb::registered('db'))
658 {
659 phpbb::$db->sql_close();
660 }
661
662 exit;
663 }
664
665 ?>
phpbb is a php-based BBS (buletin board system)