mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-24 10:31:57 +02:00
Code Issues Releases Wiki Activity

Merge pull request #5274 from rubencm/ticket/14285

Browse Source 
[ticket/14285] Move downloads to controller
This commit is contained in:
Marc Alexander
2021-05-28 07:17:15 +02:00
committed by GitHub
parent 56e2f6618c fca636ed58
commit 37ebf41308
26 changed files with 1037 additions and 1335 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
phpBB/includes/acp/acp_attachments.php
View File

@@ -14,6 +14,16 @@
/**
* @ignore
*/
use phpbb\attachment\manager;
use phpbb\config\config;
use phpbb\controller\helper;
use phpbb\db\driver\driver_interface;
use phpbb\filesystem\filesystem_interface;
use phpbb\language\language;
use phpbb\template\template;
use phpbb\user;
if (!defined('IN_PHPBB'))
{
exit;
@@ -21,30 +31,33 @@ if (!defined('IN_PHPBB'))
class acp_attachments
{
/** @var \phpbb\db\driver\driver_interface */
/** @var driver_interface */
protected $db;
/** @var \phpbb\config\config */
/** @var config */
protected $config;
/** @var \phpbb\language\language */
/** @var language */
protected $language;
/** @var ContainerBuilder */
protected $phpbb_container;
/** @var \phpbb\template\template */
/** @var template */
protected $template;
/** @var \phpbb\user */
/** @var user */
protected $user;
/** @var \phpbb\filesystem\filesystem_interface */
/** @var filesystem_interface */
protected $filesystem;
/** @var \phpbb\attachment\manager */
/** @var manager */
protected $attachment_manager;
/** @var helper */
protected $controller_helper;
public $id;
public $u_action;
protected $new_config;
@@ -63,6 +76,7 @@ class acp_attachments
$this->phpbb_container = $phpbb_container;
$this->filesystem = $phpbb_filesystem;
$this->attachment_manager = $phpbb_container->get('attachment.manager');
$this->controller_helper = $phpbb_container->get('controller.helper');
$user->add_lang(array('posting', 'viewtopic', 'acp/attachments'));
@@ -1082,8 +1096,8 @@ class acp_attachments
'PHYSICAL_FILENAME' => utf8_basename($row['physical_filename']),
'ATTACH_ID' => $row['attach_id'],
'POST_IDS' => (!empty($post_ids[$row['attach_id']])) ? $post_ids[$row['attach_id']] : '',
'U_FILE' => append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'mode=view&id=' . $row['attach_id']))
);
'U_FILE' => $this->controller_helper->route('phpbb_storage_attachment', ['file' => (int) $row['attach_id']])
));
}
$db->sql_freeresult($result);
@@ -1270,8 +1284,8 @@ class acp_attachments
'S_IN_MESSAGE' => (bool) $row['in_message'],
'U_VIEW_TOPIC' => append_sid("{$phpbb_root_path}viewtopic.$phpEx", "t={$row['topic_id']}&p={$row['post_msg_id']}") . "#p{$row['post_msg_id']}",
'U_FILE' => append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'mode=view&id=' . $row['attach_id']))
);
'U_FILE' => $this->controller_helper->route('phpbb_storage_attachment', ['file' => $row['attach_id']])
));
}
break;

11
phpBB/includes/acp/acp_users.php
View File

@@ -14,6 +14,9 @@
/**
* @ignore
*/
use phpbb\controller\helper;
if (!defined('IN_PHPBB'))
{
exit;
@@ -36,6 +39,9 @@ class acp_users
global $phpbb_dispatcher, $request;
global $phpbb_container, $phpbb_log;
/** @var helper $controller_helper */
$controller_helper = $phpbb_container->get('controller.helper');
$user->add_lang(array('posting', 'ucp', 'acp/users'));
$this->tpl_name = 'acp_users';
@@ -2126,9 +2132,6 @@ class acp_users
$decoded_message = generate_text_for_edit($signature, $bbcode_uid, $bbcode_flags);
}
/** @var \phpbb\controller\helper $controller_helper */
$controller_helper = $phpbb_container->get('controller.helper');
$template->assign_vars(array(
'S_SIGNATURE' => true,
@@ -2298,7 +2301,7 @@ class acp_users
'S_IN_MESSAGE' => $row['in_message'],
'U_DOWNLOAD' => append_sid("{$phpbb_root_path}download/file.$phpEx", 'mode=view&id=' . $row['attach_id']),
'U_DOWNLOAD' => $controller_helper->route('phpbb_storage_attachment', ['file' => (int) $row['attach_id']]),
'U_VIEW_TOPIC' => $view_topic)
);
}

26
phpBB/includes/functions_compatibility.php
View File

@@ -927,7 +927,7 @@ function parse_cfg_file($filename, $lines = false)
}
else if (($value[0] == "'" && $value[strlen($value) - 1] == "'") || ($value[0] == '"' && $value[strlen($value) - 1] == '"'))
{
$value = htmlspecialchars(substr($value, 1, strlen($value)-2), ENT_COMPAT);
$value = htmlspecialchars(substr($value, 1, strlen($value) - 2), ENT_COMPAT);
}
else
{
@@ -944,3 +944,27 @@ function parse_cfg_file($filename, $lines = false)
return $parsed_items;
}
/**
* Wraps an url into a simple html page. Used to display attachments in IE.
* this is a workaround for now; might be moved to template system later
* direct any complaints to 1 Microsoft Way, Redmond
*
* @deprecated: 3.3.0-dev (To be removed: 4.0.0)
*/
function wrap_img_in_html($src, $title)
{
echo '<!DOCTYPE html>';
echo '<html>';
echo '<head>';
echo '<meta charset="utf-8">';
echo '<meta http-equiv="X-UA-Compatible" content="IE=edge">';
echo '<title>' . $title . '</title>';
echo '</head>';
echo '<body>';
echo '<div>';
echo '<img src="' . $src . '" alt="' . $title . '" />';
echo '</div>';
echo '</body>';
echo '</html>';
}

11
phpBB/includes/functions_content.php
View File

@@ -1124,6 +1124,9 @@ function parse_attachments($forum_id, &$message, &$attachments, &$update_count_a
$storage_attachment = $phpbb_container->get('storage.attachment');
/** @var \phpbb\controller\helper */
$controller_helper = $phpbb_container->get('controller.helper');
//
$compiled_attachments = array();
@@ -1283,15 +1286,14 @@ function parse_attachments($forum_id, &$message, &$attachments, &$update_count_a
$display_cat = ATTACHMENT_CATEGORY_NONE;
}
$download_link = append_sid("{$phpbb_root_path}download/file.$phpEx", 'id=' . $attachment['attach_id']);
$download_link = $controller_helper->route('phpbb_storage_attachment', ['file' => (int) $attachment['attach_id']]);
$l_downloaded_viewed = 'VIEWED_COUNTS';
switch ($display_cat)
{
// Images
case ATTACHMENT_CATEGORY_IMAGE:
$inline_link = append_sid("{$phpbb_root_path}download/file.$phpEx", 'id=' . $attachment['attach_id']);
$download_link .= '&amp;mode=view';
$inline_link = $controller_helper->route('phpbb_storage_attachment', ['file' => (int) $attachment['attach_id']]);
$block_array += array(
'S_IMAGE' => true,
@@ -1303,8 +1305,7 @@ function parse_attachments($forum_id, &$message, &$attachments, &$update_count_a
// Images, but display Thumbnail
case ATTACHMENT_CATEGORY_THUMB:
$thumbnail_link = append_sid("{$phpbb_root_path}download/file.$phpEx", 'id=' . $attachment['attach_id'] . '&amp;t=1');
$download_link .= '&amp;mode=view';
$thumbnail_link = $controller_helper->route('phpbb_storage_attachment', ['file' => (int) $attachment['attach_id'], 't' => 1]);
$block_array += array(
'S_THUMBNAIL' => true,

738
phpBB/includes/functions_download.php
View File

@@ -1,738 +0,0 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
/**
* @ignore
*/
if (!defined('IN_PHPBB'))
{
exit;
}
/**
* A simplified function to deliver avatars
* The argument needs to be checked before calling this function.
*/
function send_avatar_to_browser($file, $browser)
{
global $config, $phpbb_container;
$storage = $phpbb_container->get('storage.avatar');
$prefix = $config['avatar_salt'] . '_';
$file_path = $prefix . $file;
if ($storage->exists($file_path) && !headers_sent())
{
$file_info = $storage->file_info($file_path);
header('Cache-Control: public');
try
{
header('Content-Type: ' . $file_info->mimetype);
}
catch (\phpbb\storage\exception\exception $e)
{
// Just don't send this header
}
if ((strpos(strtolower($browser), 'msie') !== false) && !phpbb_is_greater_ie_version($browser, 7))
{
header('Content-Disposition: attachment; ' . header_filename($file));
if (strpos(strtolower($browser), 'msie 6.0') !== false)
{
header('Expires: ' . gmdate('D, d M Y H:i:s', time()) . ' GMT');
}
else
{
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 31536000) . ' GMT');
}
}
else
{
header('Content-Disposition: inline; ' . header_filename($file));
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 31536000) . ' GMT');
}
try
{
header('Content-Length: ' . $file_info->size);
}
catch (\phpbb\storage\exception\exception $e)
{
// Just don't send this header
}
try
{
$fp = $storage->read_stream($file_path);
$output = fopen('php://output', 'w+b');
stream_copy_to_stream($fp, $output);
fclose($fp);
fclose($output);
}
catch (\Exception $e)
{
// Send nothing
}
flush();
}
else
{
header('HTTP/1.0 404 Not Found');
}
}
/**
* Wraps an url into a simple html page. Used to display attachments in IE.
* this is a workaround for now; might be moved to template system later
* direct any complaints to 1 Microsoft Way, Redmond
*/
function wrap_img_in_html($src, $title)
{
echo '<!DOCTYPE html>';
echo '<html>';
echo '<head>';
echo '<meta charset="utf-8">';
echo '<meta http-equiv="X-UA-Compatible" content="IE=edge">';
echo '<title>' . $title . '</title>';
echo '</head>';
echo '<body>';
echo '<div>';
echo '<img src="' . $src . '" alt="' . $title . '" />';
echo '</div>';
echo '</body>';
echo '</html>';
}
/**
* Send file to browser
*/
function send_file_to_browser($attachment, $category)
{
global $user, $db, $phpbb_dispatcher, $request, $phpbb_container;
$storage = $phpbb_container->get('storage.attachment');
$filename = $attachment['physical_filename'];
if (!$storage->exists($filename))
{
send_status_line(404, 'Not Found');
trigger_error('ERROR_NO_ATTACHMENT');
}
// Correct the mime type - we force application/octetstream for all files, except images
// Please do not change this, it is a security precaution
if ($category != ATTACHMENT_CATEGORY_IMAGE || strpos($attachment['mimetype'], 'image') !== 0)
{
$attachment['mimetype'] = (strpos(strtolower($user->browser), 'msie') !== false || strpos(strtolower($user->browser), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream';
}
if (@ob_get_length())
{
@ob_end_clean();
}
// Now send the File Contents to the Browser
try
{
$file_info = $storage->file_info($filename);
$size = $file_info->size;
}
catch (\Exception $e)
{
$size = 0;
}
/**
* Event to alter attachment before it is sent to browser.
*
* @event core.send_file_to_browser_before
* @var array attachment Attachment data
* @var int category Attachment category
* @var string filename Path to file, including filename
* @var int size File size
* @since 3.1.11-RC1
*/
$vars = array(
'attachment',
'category',
'filename',
'size',
);
extract($phpbb_dispatcher->trigger_event('core.send_file_to_browser_before', compact($vars)));
// To correctly display further errors we need to make sure we are using the correct headers for both (unsetting content-length may not work)
// Check if headers already sent or not able to get the file contents.
if (headers_sent())
{
send_status_line(500, 'Internal Server Error');
trigger_error('UNABLE_TO_DELIVER_FILE');
}
// Make sure the database record for the filesize is correct
if ($size > 0 && $size != $attachment['filesize'] && strpos($attachment['physical_filename'], 'thumb_') === false)
{
// Update database record
$sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
SET filesize = ' . (int) $size . '
WHERE attach_id = ' . (int) $attachment['attach_id'];
$db->sql_query($sql);
}
// Now the tricky part... let's dance
header('Cache-Control: private');
// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
header('Content-Type: ' . $attachment['mimetype']);
if (phpbb_is_greater_ie_version($user->browser, 7))
{
header('X-Content-Type-Options: nosniff');
}
if (empty($user->browser) || ((strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7)))
{
header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'], ENT_COMPAT)));
if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
{
header('Expires: ' . gmdate('D, d M Y H:i:s', time()) . ' GMT');
}
}
else
{
header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'], ENT_COMPAT)));
if (phpbb_is_greater_ie_version($user->browser, 7) && (strpos($attachment['mimetype'], 'image') !== 0))
{
header('X-Download-Options: noopen');
}
}
if (!set_modified_headers($attachment['filetime'], $user->browser))
{
if ($size)
{
header("Content-Length: $size");
}
// Try to deliver in chunks
@set_time_limit(0);
$fp = $storage->read_stream($filename);
// Close the db connection before sending the file etc.
file_gc(false);
if ($fp !== false)
{
$output = fopen('php://output', 'w+b');
stream_copy_to_stream($fp, $output);
fclose($fp);
}
flush();
}
exit;
}
/**
* Get a browser friendly UTF-8 encoded filename
*/
function header_filename($file)
{
global $request;
$user_agent = $request->header('User-Agent');
// There be dragons here.
// Not many follows the RFC...
if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Konqueror') !== false)
{
return "filename=" . rawurlencode($file);
}
// follow the RFC for extended filename for the rest
return "filename*=UTF-8''" . rawurlencode($file);
}
/**
* Check if downloading item is allowed
*/
function download_allowed()
{
global $config, $user, $db, $request;
if (!$config['secure_downloads'])
{
return true;
}
$url = htmlspecialchars_decode($request->header('Referer'), ENT_COMPAT);
if (!$url)
{
return ($config['secure_allow_empty_referer']) ? true : false;
}
// Split URL into domain and script part
$url = @parse_url($url);
if ($url === false)
{
return ($config['secure_allow_empty_referer']) ? true : false;
}
$hostname = $url['host'];
unset($url);
$allowed = ($config['secure_allow_deny']) ? false : true;
$iplist = array();
if (($ip_ary = @gethostbynamel($hostname)) !== false)
{
foreach ($ip_ary as $ip)
{
if ($ip)
{
$iplist[] = $ip;
}
}
}
// Check for own server...
$server_name = $user->host;
// Forcing server vars is the only way to specify/override the protocol
if ($config['force_server_vars'] || !$server_name)
{
$server_name = $config['server_name'];
}
if (preg_match('#^.*?' . preg_quote($server_name, '#') . '.*?$#i', $hostname))
{
$allowed = true;
}
// Get IP's and Hostnames
if (!$allowed)
{
$sql = 'SELECT site_ip, site_hostname, ip_exclude
FROM ' . SITELIST_TABLE;
$result = $db->sql_query($sql);
while ($row = $db->sql_fetchrow($result))
{
$site_ip = trim($row['site_ip']);
$site_hostname = trim($row['site_hostname']);
if ($site_ip)
{
foreach ($iplist as $ip)
{
if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_ip, '#')) . '$#i', $ip))
{
if ($row['ip_exclude'])
{
$allowed = ($config['secure_allow_deny']) ? false : true;
break 2;
}
else
{
$allowed = ($config['secure_allow_deny']) ? true : false;
}
}
}
}
if ($site_hostname)
{
if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_hostname, '#')) . '$#i', $hostname))
{
if ($row['ip_exclude'])
{
$allowed = ($config['secure_allow_deny']) ? false : true;
break;
}
else
{
$allowed = ($config['secure_allow_deny']) ? true : false;
}
}
}
}
$db->sql_freeresult($result);
}
return $allowed;
}
/**
* Check if the browser has the file already and set the appropriate headers-
* @returns false if a resend is in order.
*/
function set_modified_headers($stamp, $browser)
{
global $request;
// let's see if we have to send the file at all
$last_load = $request->header('If-Modified-Since') ? strtotime(trim($request->header('If-Modified-Since'))) : false;
if (strpos(strtolower($browser), 'msie 6.0') === false && !phpbb_is_greater_ie_version($browser, 7))
{
if ($last_load !== false && $last_load >= $stamp)
{
send_status_line(304, 'Not Modified');
// seems that we need those too ... browsers
header('Cache-Control: private');
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 31536000) . ' GMT');
return true;
}
else
{
header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $stamp) . ' GMT');
}
}
return false;
}
/**
* Garbage Collection
*
* @param bool $exit Whether to die or not.
*
* @return null
*/
function file_gc($exit = true)
{
global $cache, $db;
if (!empty($cache))
{
$cache->unload();
}
$db->sql_close();
if ($exit)
{
exit;
}
}
/**
* HTTP range support (RFC 2616 Section 14.35)
*
* Allows browsers to request partial file content
* in case a download has been interrupted.
*
* @param int $filesize the size of the file in bytes we are about to deliver
*
* @return mixed false if the whole file has to be delivered
* associative array on success
*/
function phpbb_http_byte_range($filesize)
{
// Only call find_range_request() once.
static $request_array;
if (!$filesize)
{
return false;
}
if (!isset($request_array))
{
$request_array = phpbb_find_range_request();
}
return (empty($request_array)) ? false : phpbb_parse_range_request($request_array, $filesize);
}
/**
* Searches for HTTP range request in request headers.
*
* @return mixed false if no request found
* array of strings containing the requested ranges otherwise
* e.g. array(0 => '0-0', 1 => '123-125')
*/
function phpbb_find_range_request()
{
global $request;
$value = $request->header('Range');
// Make sure range request starts with "bytes="
if (strpos($value, 'bytes=') === 0)
{
// Strip leading 'bytes='
// Multiple ranges can be separated by a comma
return explode(',', substr($value, 6));
}
return false;
}
/**
* Analyses a range request array.
*
* A range request can contain multiple ranges,
* we however only handle the first request and
* only support requests from a given byte to the end of the file.
*
* @param array $request_array array of strings containing the requested ranges
* @param int $filesize the full size of the file in bytes that has been requested
*
* @return mixed false if the whole file has to be delivered
* associative array on success
* byte_pos_start the first byte position, can be passed to fseek()
* byte_pos_end the last byte position
* bytes_requested the number of bytes requested
* bytes_total the full size of the file
*/
function phpbb_parse_range_request($request_array, $filesize)
{
$first_byte_pos = -1;
$last_byte_pos = -1;
// Go through all ranges
foreach ($request_array as $range_string)
{
$range = explode('-', trim($range_string));
// "-" is invalid, "0-0" however is valid and means the very first byte.
if (count($range) != 2 || $range[0] === '' && $range[1] === '')
{
continue;
}
// Substitute defaults
if ($range[0] === '')
{
$range[0] = 0;
}
if ($range[1] === '')
{
$range[1] = $filesize - 1;
}
if ($last_byte_pos >= 0 && $last_byte_pos + 1 != $range[0])
{
// We only support contiguous ranges, no multipart stuff :(
return false;
}
if ($range[1] && $range[1] < $range[0])
{
// The requested range contains 0 bytes.
continue;
}
// Return bytes from $range[0] to $range[1]
if ($first_byte_pos < 0)
{
$first_byte_pos = (int) $range[0];
}
$last_byte_pos = (int) $range[1];
if ($first_byte_pos >= $filesize)
{
// Requested range not satisfiable
return false;
}
// Adjust last-byte-pos if it is absent or greater than the content.
if ($range[1] === '' || $last_byte_pos >= $filesize)
{
$last_byte_pos = $filesize - 1;
}
}
if ($first_byte_pos < 0 || $last_byte_pos < 0)
{
return false;
}
return array(
'byte_pos_start' => $first_byte_pos,
'byte_pos_end' => $last_byte_pos,
'bytes_requested' => $last_byte_pos - $first_byte_pos + 1,
'bytes_total' => $filesize,
);
}
/**
* Increments the download count of all provided attachments
*
* @param \phpbb\db\driver\driver_interface $db The database object
* @param array|int $ids The attach_id of each attachment
*
* @return null
*/
function phpbb_increment_downloads($db, $ids)
{
if (!is_array($ids))
{
$ids = array($ids);
}
$sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
SET download_count = download_count + 1
WHERE ' . $db->sql_in_set('attach_id', $ids);
$db->sql_query($sql);
}
/**
* Handles authentication when downloading attachments from a post or topic
*
* @param \phpbb\db\driver\driver_interface $db The database object
* @param \phpbb\auth\auth $auth The authentication object
* @param int $topic_id The id of the topic that we are downloading from
*
* @return null
*/
function phpbb_download_handle_forum_auth($db, $auth, $topic_id)
{
global $phpbb_container;
$sql_array = array(
'SELECT' => 't.topic_visibility, t.forum_id, f.forum_name, f.forum_password, f.parent_id',
'FROM' => array(
TOPICS_TABLE => 't',
FORUMS_TABLE => 'f',
),
'WHERE' => 't.topic_id = ' . (int) $topic_id . '
AND t.forum_id = f.forum_id',
);
$sql = $db->sql_build_query('SELECT', $sql_array);
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
$phpbb_content_visibility = $phpbb_container->get('content.visibility');
if ($row && !$phpbb_content_visibility->is_visible('topic', $row['forum_id'], $row))
{
send_status_line(404, 'Not Found');
trigger_error('ERROR_NO_ATTACHMENT');
}
else if ($row && $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))
{
if ($row['forum_password'])
{
// Do something else ... ?
login_forum_box($row);
}
}
else
{
send_status_line(403, 'Forbidden');
trigger_error('SORRY_AUTH_VIEW_ATTACH');
}
}
/**
* Handles authentication when downloading attachments from PMs
*
* @param \phpbb\db\driver\driver_interface $db The database object
* @param \phpbb\auth\auth $auth The authentication object
* @param int $user_id The user id
* @param int $msg_id The id of the PM that we are downloading from
*
* @return null
*/
function phpbb_download_handle_pm_auth($db, $auth, $user_id, $msg_id)
{
global $phpbb_dispatcher;
if (!$auth->acl_get('u_pm_download'))
{
send_status_line(403, 'Forbidden');
trigger_error('SORRY_AUTH_VIEW_ATTACH');
}
$allowed = phpbb_download_check_pm_auth($db, $user_id, $msg_id);
/**
* Event to modify PM attachments download auth
*
* @event core.modify_pm_attach_download_auth
* @var bool allowed Whether the user is allowed to download from that PM or not
* @var int msg_id The id of the PM to download from
* @var int user_id The user id for auth check
* @since 3.1.11-RC1
*/
$vars = array('allowed', 'msg_id', 'user_id');
extract($phpbb_dispatcher->trigger_event('core.modify_pm_attach_download_auth', compact($vars)));
if (!$allowed)
{
send_status_line(403, 'Forbidden');
trigger_error('ERROR_NO_ATTACHMENT');
}
}
/**
* Checks whether a user can download from a particular PM
*
* @param \phpbb\db\driver\driver_interface $db The database object
* @param int $user_id The user id
* @param int $msg_id The id of the PM that we are downloading from
*
* @return bool Whether the user is allowed to download from that PM or not
*/
function phpbb_download_check_pm_auth($db, $user_id, $msg_id)
{
// Check if the attachment is within the users scope...
$sql = 'SELECT msg_id
FROM ' . PRIVMSGS_TO_TABLE . '
WHERE msg_id = ' . (int) $msg_id . '
AND (
user_id = ' . (int) $user_id . '
OR author_id = ' . (int) $user_id . '
)';
$result = $db->sql_query_limit($sql, 1);
$allowed = (bool) $db->sql_fetchfield('msg_id');
$db->sql_freeresult($result);
return $allowed;
}
/**
* Check if the browser is internet explorer version 7+
*
* @param string $user_agent User agent HTTP header
* @param int $version IE version to check against
*
* @return bool true if internet explorer version is greater than $version
*/
function phpbb_is_greater_ie_version($user_agent, $version)
{
if (preg_match('/msie (\d+)/', strtolower($user_agent), $matches))
{
$ie_version = (int) $matches[1];
return ($ie_version > $version);
}
else
{
return false;
}
}

4
phpBB/includes/functions_posting.php
View File

@@ -817,7 +817,7 @@ function posting_gen_inline_attachments(&$attachment_data)
*/
function posting_gen_attachment_entry($attachment_data, &$filename_data, $show_attach_box = true)
{
global $template, $config, $phpbb_root_path, $phpEx, $user, $phpbb_dispatcher;
global $template, $config, $phpbb_root_path, $phpEx, $user, $phpbb_dispatcher, $phpbb_container;
// Some default template variables
$template->assign_vars(array(
@@ -845,7 +845,7 @@ function posting_gen_attachment_entry($attachment_data, &$filename_data, $show_a
$hidden .= '<input type="hidden" name="attachment_data[' . $count . '][' . $key . ']" value="' . $value . '" />';
}
$download_link = append_sid("{$phpbb_root_path}download/file.$phpEx", 'mode=view&amp;id=' . (int) $attach_row['attach_id'], true, ($attach_row['is_orphan']) ? $user->session_id : false);
$download_link = $phpbb_container->get('controller.helper')->route('phpbb_storage_attachment', ['file' => (int) $attach_row['attach_id']]);
$attachrow_template_vars[(int) $attach_row['attach_id']] = array(
'FILENAME' => utf8_basename($attach_row['real_filename']),

5
phpBB/includes/message_parser.php
View File

@@ -1073,6 +1073,7 @@ class bbcode_firstpass extends bbcode
if ($pos_domain !== false && $pos_path >= $pos_domain && $pos_ext >= $pos_path)
{
// Ok, actually we allow linking to some files (this may be able to be extended in some way later...)
// @deprecated
if (strpos($url, '/' . $check_path . '/download/file.' . $phpEx) !== 0)
{
return false;
@@ -1534,6 +1535,8 @@ class parse_message extends bbcode_firstpass
global $config, $auth, $user, $phpbb_root_path, $phpEx, $db, $request;
global $phpbb_container, $phpbb_dispatcher;
$controller_helper = $phpbb_container->get('controller.helper');
$error = array();
$num_attachments = count($this->attachment_data);
@@ -1776,7 +1779,7 @@ class parse_message extends bbcode_firstpass
if (isset($this->plupload) && $this->plupload->is_active())
{
$download_url = append_sid("{$phpbb_root_path}download/file.{$phpEx}", 'mode=view&amp;id=' . $new_entry['attach_id']);
$download_url = $controller_helper->route('phpbb_storage_attachment', ['file' => (int) $new_entry['attach_id']]);
// Send the client the attachment data to maintain state
$json_response->send(array('data' => $this->attachment_data, 'download_url' => $download_url));

8
phpBB/includes/ucp/ucp_attachments.php
View File

@@ -14,6 +14,9 @@
/**
* @ignore
*/
use phpbb\controller\helper;
if (!defined('IN_PHPBB'))
{
exit;
@@ -31,6 +34,9 @@ class ucp_attachments
{
global $template, $user, $db, $config, $phpEx, $phpbb_root_path, $phpbb_container, $request, $auth;
/** @var helper $controller_helper */
$controller_helper = $phpbb_container->get('controller.helper');
$start = $request->variable('start', 0);
$sort_key = $request->variable('sk', 'a');
$sort_dir = $request->variable('sd', 'a');
@@ -179,7 +185,7 @@ class ucp_attachments
'S_IN_MESSAGE' => $row['in_message'],
'S_LOCKED' => !$row['in_message'] && !$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']),
'U_VIEW_ATTACHMENT' => append_sid("{$phpbb_root_path}download/file.$phpEx", 'id=' . $row['attach_id']),
'U_VIEW_ATTACHMENT' => $controller_helper->route('phpbb_storage_attachment', ['file' => (int) $row['attach_id']]),
'U_VIEW_TOPIC' => $view_topic)
);