Merge remote-tracking branch 'origin/master'
[phpmyadmin/madhuracj.git] / file_echo.php
blobbdfc1735c2137c86e6f79dbaff063cf279564d8c
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * "Echo" service to allow force downloading of exported charts (png or svg)
5 * and server status monitor settings
7 * @package phpMyAdmin
8 */
10 require_once './libraries/common.inc.php';
12 /* For chart exporting */
13 if (isset($_REQUEST['filename']) && isset($_REQUEST['image'])) {
14 $allowed = array(
15 'image/png' => 'png',
16 'image/svg+xml' => 'svg',
19 /* Check whether MIME type is allowed */
20 if (! isset($allowed[$_REQUEST['type']])) {
21 die(__('Invalid export type'));
25 * Check file name to match mime type and not contain new lines
26 * to prevent response splitting.
28 $extension = $allowed[$_REQUEST['type']];
29 $valid_match = '/^[^\n\r]*\.' . $extension . '$/';
30 if (! preg_match($valid_match, $_REQUEST['filename'])) {
31 if (! preg_match('/^[^\n\r]*$/', $_REQUEST['filename'])) {
32 /* Filename is unsafe, discard it */
33 $filename = 'download.' . $extension;
34 } else {
35 /* Add extension */
36 $filename = $_REQUEST['filename'] . '.' . $extension;
38 } else {
39 /* Filename from request should be safe here */
40 $filename = $_REQUEST['filename'];
43 /* Decode data */
44 if ($extension != 'svg') {
45 $data = substr($_REQUEST['image'], strpos($_REQUEST['image'], ',') + 1);
46 $data = base64_decode($data);
47 } else {
48 $data = $_REQUEST['image'];
51 /* Send download header */
52 PMA_download_header($filename, $_REQUEST['type'], strlen($data));
54 /* Send data */
55 echo $data;
57 /* For monitor chart config export */
58 } else if (isset($_REQUEST['monitorconfig'])) {
59 PMA_download_header('monitor.cfg', 'application/force-download');
60 echo urldecode($_REQUEST['monitorconfig']);
62 /* For monitor chart config import */
63 } else if (isset($_REQUEST['import'])) {
64 header('Content-type: text/plain');
65 if(!file_exists($_FILES['file']['tmp_name'])) exit();
66 echo file_get_contents($_FILES['file']['tmp_name']);