file_echo.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * "Echo" service to allow force downloading of exported charts (png or svg)
   5  * and server status monitor settings
   6  *
   7  * @package PhpMyAdmin
   8  */
   9
  10 use PMA\libraries\PMA_String;
  11
  12 define('PMA_MINIMUM_COMMON', true);
  13 require_once 'libraries/common.inc.php';
  14
  15 /* For chart exporting */
  16 if (isset($_REQUEST['filename']) && isset($_REQUEST['image'])) {
  17     $allowed = array(
  18         'image/png'     => 'png',
  19         'image/svg+xml' => 'svg',
  20     );
  21
  22     /* Check whether MIME type is allowed */
  23     if (! isset($allowed[$_REQUEST['type']])) {
  24         PMA_fatalError(__('Invalid export type'));
  25     }
  26
  27     /*
  28      * Check file name to match mime type and not contain new lines
  29      * to prevent response splitting.
  30      */
  31     $extension = $allowed[$_REQUEST['type']];
  32     $valid_match = '/^[^\n\r]*\.' . $extension . '$/';
  33     if (! preg_match($valid_match, $_REQUEST['filename'])) {
  34         if (! preg_match('/^[^\n\r]*$/', $_REQUEST['filename'])) {
  35             /* Filename is unsafe, discard it */
  36             $filename = 'download.' . $extension;
  37         } else {
  38             /* Add extension */
  39             $filename = $_REQUEST['filename'] . '.' . $extension;
  40         }
  41     } else {
  42         /* Filename from request should be safe here */
  43         $filename = $_REQUEST['filename'];
  44     }
  45
  46     /** @var String $pmaString */
  47     $pmaString = $GLOBALS['PMA_String'];
  48
  49     /* Decode data */
  50     if ($extension != 'svg') {
  51         $data = /*overload*/mb_substr(
  52             $_REQUEST['image'],
  53             /*overload*/mb_strpos($_REQUEST['image'], ',') + 1
  54         );
  55         $data = base64_decode($data);
  56     } else {
  57         $data = $_REQUEST['image'];
  58     }
  59
  60     /* Send download header */
  61     PMA_downloadHeader(
  62         $filename,
  63         $_REQUEST['type'],
  64         /*overload*/mb_strlen($data)
  65     );
  66
  67     /* Send data */
  68     echo $data;
  69
  70 } else if (isset($_REQUEST['monitorconfig'])) {
  71     /* For monitor chart config export */
  72     PMA_downloadHeader('monitor.cfg', 'application/force-download');
  73     echo urldecode($_REQUEST['monitorconfig']);
  74
  75 } else if (isset($_REQUEST['import'])) {
  76     /* For monitor chart config import */
  77     header('Content-type: text/plain');
  78     if (!file_exists($_FILES['file']['tmp_name'])) {
  79         exit();
  80     }
  81     echo file_get_contents($_FILES['file']['tmp_name']);
  82 }