search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ups, seems i really forgot to change this. :)
[phpbb.git] / phpBB / download / file.php
blobad2abf880e81f7c3cf33a007d95265439957d56e
1 <?php
2 /**
3 *
4 * @package phpBB3
5 * @version $Id$
6 * @copyright (c) 2005 phpBB Group
7 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
8 *
9 */
10
11 /**
12 * @ignore
13 */
14 define('IN_PHPBB', true);
15 $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
16 $phpEx = substr(strrchr(__FILE__, '.'), 1);
17
18 if (isset($_GET['avatar']))
19 {
20 require($phpbb_root_path . 'config.' . $phpEx);
21 require($phpbb_root_path . 'includes/acm/acm_' . $acm_type . '.' . $phpEx);
22 require($phpbb_root_path . 'includes/cache.' . $phpEx);
23 require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
24 require($phpbb_root_path . 'includes/constants.' . $phpEx);
25
26 $db = new $sql_db();
27 $cache = new cache();
28
29 // Connect to DB
30 if (!@$db->sql_connect($dbhost, $dbuser, $dbpasswd, $dbname, $dbport, false, false))
31 {
32 exit;
33 }
34 unset($dbpasswd);
35
36 $config = $cache->obtain_config();
37 $filename = $_GET['avatar'];
38 $avatar_group = false;
39 if ($filename[0] === 'g')
40 {
41 $avatar_group = true;
42 $filename = substr($filename, 1);
43 }
44
45 // '==' is not a bug - . as the first char is as bad as no dot at all
46 if (strpos($filename, '.') == false)
47 {
48 header('HTTP/1.0 403 forbidden');
49 if (!empty($cache))
50 {
51 $cache->unload();
52 }
53 $db->sql_close();
54 exit;
55 }
56
57 $ext = substr(strrchr($filename, '.'), 1);
58 $filename = intval($filename);
59
60 if (!in_array($ext, array('png', 'gif', 'jpg', 'jpeg')))
61 {
62 // no way such an avatar could exist. They are not following the rules, stop the show.
63 header("HTTP/1.0 403 forbidden");
64 if (!empty($cache))
65 {
66 $cache->unload();
67 }
68 $db->sql_close();
69 exit;
70 }
71
72 if (!$filename)
73 {
74 // no way such an avatar could exist. They are not following the rules, stop the show.
75 header("HTTP/1.0 403 forbidden");
76 if (!empty($cache))
77 {
78 $cache->unload();
79 }
80 $db->sql_close();
81 exit;
82 }
83
84 send_avatar_to_browser(($avatar_group ? 'g' : '') . $filename . '.' . $ext);
85
86 if (!empty($cache))
87 {
88 $cache->unload();
89 }
90 $db->sql_close();
91 exit;
92 }
93
94 // implicit else: we are not in avatar mode
95 include($phpbb_root_path . 'common.' . $phpEx);
96
97 $download_id = request_var('id', 0);
98 $mode = request_var('mode', '');
99 $thumbnail = request_var('t', false);
100
101 // Start session management, do not update session page.
102 $user->session_begin(false);
103 $auth->acl($user->data);
104 $user->setup('viewtopic');
105
106 if (!$download_id)
107 {
108 trigger_error('NO_ATTACHMENT_SELECTED');
109 }
110
111 if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
112 {
113 trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
114 }
115
116 $sql = 'SELECT attach_id, in_message, post_msg_id, extension, is_orphan, poster_id
117 FROM ' . ATTACHMENTS_TABLE . "
118 WHERE attach_id = $download_id";
119 $result = $db->sql_query_limit($sql, 1);
120 $attachment = $db->sql_fetchrow($result);
121 $db->sql_freeresult($result);
122
123 if (!$attachment)
124 {
125 trigger_error('ERROR_NO_ATTACHMENT');
126 }
127
128 if ((!$attachment['in_message'] && !$config['allow_attachments']) || ($attachment['in_message'] && !$config['allow_pm_attach']))
129 {
130 trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
131 }
132
133 $row = array();
134
135 if ($attachment['is_orphan'])
136 {
137 // We allow admins having attachment permissions to see orphan attachments...
138 $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;
139
140 if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))
141 {
142 trigger_error('ERROR_NO_ATTACHMENT');
143 }
144
145 // Obtain all extensions...
146 $extensions = $cache->obtain_attach_extensions(true);
147 }
148 else
149 {
150 if (!$attachment['in_message'])
151 {
152 //
153 $sql = 'SELECT p.forum_id, f.forum_password, f.parent_id
154 FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f
155 WHERE p.post_id = ' . $attachment['post_msg_id'] . '
156 AND p.forum_id = f.forum_id';
157 $result = $db->sql_query_limit($sql, 1);
158 $row = $db->sql_fetchrow($result);
159 $db->sql_freeresult($result);
160
161 // Global announcement?
162 $f_download = (!$row) ? $auth->acl_getf_global('f_download') : $auth->acl_get('f_download', $row['forum_id']);
163
164 if ($auth->acl_get('u_download') && $f_download)
165 {
166 if ($row && $row['forum_password'])
167 {
168 // Do something else ... ?
169 login_forum_box($row);
170 }
171 }
172 else
173 {
174 trigger_error('SORRY_AUTH_VIEW_ATTACH');
175 }
176 }
177 else
178 {
179 $row['forum_id'] = false;
180 if (!$auth->acl_get('u_pm_download'))
181 {
182 trigger_error('SORRY_AUTH_VIEW_ATTACH');
183 }
184 }
185
186 // disallowed?
187 $extensions = array();
188 if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))
189 {
190 trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
191 }
192 }
193
194 if (!download_allowed())
195 {
196 trigger_error($user->lang['LINKAGE_FORBIDDEN']);
197 }
198
199 $download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
200
201 // Fetching filename here to prevent sniffing of filename
202 $sql = 'SELECT attach_id, is_orphan, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype
203 FROM ' . ATTACHMENTS_TABLE . "
204 WHERE attach_id = $download_id";
205 $result = $db->sql_query_limit($sql, 1);
206 $attachment = $db->sql_fetchrow($result);
207 $db->sql_freeresult($result);
208
209 if (!$attachment)
210 {
211 trigger_error('ERROR_NO_ATTACHMENT');
212 }
213
214 $attachment['physical_filename'] = basename($attachment['physical_filename']);
215 $display_cat = $extensions[$attachment['extension']]['display_cat'];
216
217 if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))
218 {
219 $display_cat = ATTACHMENT_CATEGORY_NONE;
220 }
221
222 if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))
223 {
224 $display_cat = ATTACHMENT_CATEGORY_NONE;
225 }
226
227 if ($thumbnail)
228 {
229 $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
230 }
231 else if (($display_cat == ATTACHMENT_CATEGORY_NONE || $display_cat == ATTACHMENT_CATEGORY_IMAGE) && !$attachment['is_orphan'])
232 {
233 // Update download count
234 $sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
235 SET download_count = download_count + 1
236 WHERE attach_id = ' . $attachment['attach_id'];
237 $db->sql_query($sql);
238 }
239
240 if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && strpos(strtolower($user->browser), 'msie') !== false)
241 {
242 wrap_img_in_html(append_sid('./download.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);
243 }
244 else
245 {
246 // Determine the 'presenting'-method
247 if ($download_mode == PHYSICAL_LINK)
248 {
249 // This presenting method should no longer be used
250 if (!@is_dir($phpbb_root_path . $config['upload_path']))
251 {
252 trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
253 }
254
255 redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);
256 exit;
257 }
258 else
259 {
260 send_file_to_browser($attachment, $config['upload_path'], $display_cat);
261 exit;
262 }
263 }
264
265
266 /**
267 * A simplified function to deliver avatars
268 * The argument needs to be checked before calling this function.
269 */
270 function send_avatar_to_browser($file)
271 {
272 global $config, $phpbb_root_path;
273
274 $prefix = $config['avatar_salt'] . '_';
275 $image_dir = $config['avatar_path'];
276
277 // worst-case default
278 $browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0';
279
280 // Adjust image_dir path (no trailing slash)
281 if (substr($image_dir, -1, 1) == '/' || substr($image_dir, -1, 1) == '\\')
282 {
283 $image_dir = substr($image_dir, 0, -1) . '/';
284 }
285 $image_dir = str_replace(array('../', '..\\', './', '.\\'), '', $image_dir);
286
287 if ($image_dir && ($image_dir[0] == '/' || $image_dir[0] == '\\'))
288 {
289 $image_dir = '';
290 }
291 $file_path = $phpbb_root_path . $image_dir . '/' . $prefix . $file;
292
293 if ((@file_exists($file_path) && @is_readable($file_path)) || headers_sent())
294 {
295 header('Pragma: public');
296
297 $image_data = @getimagesize($file_path);
298 header('Content-Type: ' . image_type_to_mime_type($image_data[2]));
299
300 if (strpos(strtolower($browser), 'msie') !== false)
301 {
302 header('Content-Disposition: attachment; ' . header_filename($file));
303
304 if (strpos(strtolower($browser), 'msie 6.0') !== false)
305 {
306 header('Expires: -1');
307 }
308 else
309 {
310 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
311 }
312 }
313 else
314 {
315 header('Content-Disposition: inline; ' . header_filename($file));
316 header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time() + 31536000));
317 }
318
319 $size = @filesize($file_path);
320 if ($size)
321 {
322 header("Content-Length: $size");
323 }
324
325 if (@readfile($file_path) === false)
326 {
327 $fp = @fopen($file_path, 'rb');
328
329 if ($fp !== false)
330 {
331 while (!feof($fp))
332 {
333 echo fread($fp, 8192);
334 }
335 fclose($fp);
336 }
337 }
338
339 flush();
340 }
341 else
342 {
343 header('HTTP/1.0 404 not found');
344 }
345 }
346
347 /**
348 * Wraps an url into a simple html page. Used to display attachments in IE.
349 * this is a workaround for now; might be moved to template system later
350 * direct any complaints to 1 Microsoft Way, Redmond
351 */
352 function wrap_img_in_html($src, $title)
353 {
354 echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-Strict.dtd">';
355 echo '<html>';
356 echo '<head>';
357 echo '<meta http-equiv="content-type" content="text/html; charset=UTF-8" />';
358 echo '<title>' . $title . '</title>';
359 echo '</head>';
360 echo '<body>';
361 echo '<div>';
362 echo '<img src="' . $src . '" alt="' . $title . '" />';
363 echo '</div>';
364 echo '</body>';
365 echo '</html>';
366 }
367
368 /**
369 * Send file to browser
370 */
371 function send_file_to_browser($attachment, $upload_dir, $category)
372 {
373 global $user, $db, $config, $phpbb_root_path;
374
375 $filename = $phpbb_root_path . $upload_dir . '/' . $attachment['physical_filename'];
376
377 if (!@file_exists($filename))
378 {
379 trigger_error($user->lang['ERROR_NO_ATTACHMENT'] . '<br /><br />' . sprintf($user->lang['FILE_NOT_FOUND_404'], $filename));
380 }
381
382 // Correct the mime type - we force application/octetstream for all files, except images
383 // Please do not change this, it is a security precaution
384 if ($category != ATTACHMENT_CATEGORY_IMAGE || strpos($attachment['mimetype'], 'image') !== 0)
385 {
386 $attachment['mimetype'] = (strpos(strtolower($user->browser), 'msie') !== false || strpos(strtolower($user->browser), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream';
387 }
388
389 if (@ob_get_length())
390 {
391 @ob_end_clean();
392 }
393
394 // Now send the File Contents to the Browser
395 $size = @filesize($filename);
396
397 // To correctly display further errors we need to make sure we are using the correct headers for both (unsetting content-length may not work)
398
399 // Check if headers already sent or not able to get the file contents.
400 if (headers_sent() || !@file_exists($filename) || !@is_readable($filename))
401 {
402 // PHP track_errors setting On?
403 if (!empty($php_errormsg))
404 {
405 trigger_error($user->lang['UNABLE_TO_DELIVER_FILE'] . '<br />' . sprintf($user->lang['TRACKED_PHP_ERROR'], $php_errormsg));
406 }
407
408 trigger_error('UNABLE_TO_DELIVER_FILE');
409 }
410
411 // Now the tricky part... let's dance
412 header('Pragma: public');
413
414 /**
415 * Commented out X-Sendfile support. To not expose the physical filename within the header if xsendfile is absent we need to look into methods of checking it's status.
416 *
417 * Try X-Sendfile since it is much more server friendly - only works if the path is *not* outside of the root path...
418 * lighttpd has core support for it. An apache2 module is available at http://celebnamer.celebworld.ws/stuff/mod_xsendfile/
419 *
420 * Not really ideal, but should work fine...
421 * <code>
422 * if (strpos($upload_dir, '/') !== 0 && strpos($upload_dir, '../') === false)
423 * {
424 * header('X-Sendfile: ' . $filename);
425 * }
426 * </code>
427 */
428
429 // Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
430 header('Content-Type: ' . $attachment['mimetype']);
431
432 if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
433 {
434 header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
435 if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
436 {
437 header('expires: -1');
438 }
439 }
440 else
441 {
442 header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
443 }
444
445 if ($size)
446 {
447 header("Content-Length: $size");
448 }
449
450 // Try to deliver in chunks
451 @set_time_limit(0);
452
453 $fp = @fopen($filename, 'rb');
454
455 if ($fp !== false)
456 {
457 while (!feof($fp))
458 {
459 echo fread($fp, 8192);
460 }
461 fclose($fp);
462 }
463 else
464 {
465 @readfile($filename);
466 }
467
468 flush();
469 exit;
470 }
471
472 /**
473 * Get a browser friendly UTF-8 encoded filename
474 */
475 function header_filename($file)
476 {
477 $user_agent = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
478
479 // There be dragons here.
480 // Not many follows the RFC...
481 if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Safari') !== false || strpos($user_agent, 'Konqueror') !== false)
482 {
483 return "filename=" . rawurlencode($file);
484 }
485
486 // follow the RFC for extended filename for the rest
487 return "filename*=UTF-8''" . rawurlencode($file);
488 }
489
490 /**
491 * Check if downloading item is allowed
492 */
493 function download_allowed()
494 {
495 global $config, $user, $db;
496
497 if (!$config['secure_downloads'])
498 {
499 return true;
500 }
501
502 $url = (!empty($_SERVER['HTTP_REFERER'])) ? trim($_SERVER['HTTP_REFERER']) : trim(getenv('HTTP_REFERER'));
503
504 if (!$url)
505 {
506 return ($config['secure_allow_empty_referer']) ? true : false;
507 }
508
509 // Split URL into domain and script part
510 $url = @parse_url($url);
511
512 if ($url === false)
513 {
514 return ($config['secure_allow_empty_referer']) ? true : false;
515 }
516
517 $hostname = $url['host'];
518 unset($url);
519
520 $allowed = ($config['secure_allow_deny']) ? false : true;
521 $iplist = array();
522
523 if (($ip_ary = @gethostbynamel($hostname)) !== false)
524 {
525 foreach ($ip_ary as $ip)
526 {
527 if ($ip)
528 {
529 $iplist[] = $ip;
530 }
531 }
532 }
533
534 // Check for own server...
535 $server_name = (!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME');
536
537 // Forcing server vars is the only way to specify/override the protocol
538 if ($config['force_server_vars'] || !$server_name)
539 {
540 $server_name = $config['server_name'];
541 }
542
543 if (preg_match('#^.*?' . preg_quote($server_name, '#') . '.*?$#i', $hostname))
544 {
545 $allowed = true;
546 }
547
548 // Get IP's and Hostnames
549 if (!$allowed)
550 {
551 $sql = 'SELECT site_ip, site_hostname, ip_exclude
552 FROM ' . SITELIST_TABLE;
553 $result = $db->sql_query($sql);
554
555 while ($row = $db->sql_fetchrow($result))
556 {
557 $site_ip = trim($row['site_ip']);
558 $site_hostname = trim($row['site_hostname']);
559
560 if ($site_ip)
561 {
562 foreach ($iplist as $ip)
563 {
564 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_ip, '#')) . '$#i', $ip))
565 {
566 if ($row['ip_exclude'])
567 {
568 $allowed = ($config['secure_allow_deny']) ? false : true;
569 break 2;
570 }
571 else
572 {
573 $allowed = ($config['secure_allow_deny']) ? true : false;
574 }
575 }
576 }
577 }
578
579 if ($site_hostname)
580 {
581 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_hostname, '#')) . '$#i', $hostname))
582 {
583 if ($row['ip_exclude'])
584 {
585 $allowed = ($config['secure_allow_deny']) ? false : true;
586 break;
587 }
588 else
589 {
590 $allowed = ($config['secure_allow_deny']) ? true : false;
591 }
592 }
593 }
594 }
595 $db->sql_freeresult($result);
596 }
597
598 return $allowed;
599 }
600
601 ?>
phpbb is a php-based BBS (buletin board system)