mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-23 11:28:33 +01:00
Code Issues Releases Wiki Activity

[ticket/12171] Check post visibility before being able to download attachments

Browse Source 
PHPBB3-12171
This commit is contained in:
Joas Schilling 2014-02-08 16:11:37 +01:00
parent e4129687cb
commit c36b1c16f9
1 changed files with 49 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
phpBB/download/file.php
View File

@ -246,6 +246,20 @@ else if ($download_id)
if (!$attachment['in_message'])
{
phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']);
$sql = 'SELECT forum_id, post_visibility
FROM ' . POSTS_TABLE . '
WHERE post_id = ' . (int) $attachment['post_msg_id'];
$result = $db->sql_query($sql);
$post_row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
if (!$post_row || ($post_row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $post_row['forum_id'])))
{
// Attachment of a soft deleted post and the user is not allowed to see the post
send_status_line(403, 'Forbidden');
trigger_error('ERROR_NO_ATTACHMENT');
}
}
else
{
@ -334,6 +348,7 @@ else
$archive = '.tar';
}
$post_visibility = array();
if ($msg_id)
{
$sql = 'SELECT message_subject AS attach_subject
@ -342,12 +357,23 @@ else
}
else if ($post_id)
{
$sql = 'SELECT post_subject AS attach_subject, forum_id
$sql = 'SELECT post_subject AS attach_subject, forum_id, post_visibility
FROM ' . POSTS_TABLE . "
WHERE post_id = $post_id";
}
else
{
$sql = 'SELECT post_id, post_visibility
FROM ' . POSTS_TABLE . "
WHERE topic_id = $topic_id
AND post_attachment = 1";
$result = $db->sql_query($sql);
while ($row = $db->sql_fetchrow($result))
{
$post_visibility[(int) $row['post_id']] = (int) $row['post_visibility'];
}
$db->sql_freeresult($result);
$sql = 'SELECT topic_title AS attach_subject, forum_id
FROM ' . TOPICS_TABLE . "
WHERE topic_id = $topic_id";
@ -382,13 +408,25 @@ else
$extensions = array();
$files_added = 0;
$forum_id = ($attachment['in_message']) ? false : (int) $row['forum_id'];
$disallowed = array();
$disallowed_extension = array();
foreach ($attachments as $attach)
{
if (!extension_allowed($forum_id, $attach['extension'], $extensions))
{
$disallowed[$attach['extension']] = $attach['extension'];
$disallowed_extension[$attach['extension']] = $attach['extension'];
continue;
}
if ($post_id && $row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $forum_id))
{
// Attachment of a soft deleted post and the user is not allowed to see the post
continue;
}
if ($topic_id && (!isset($post_visibility[$attach['post_msg_id']]) || $post_visibility[$attach['post_msg_id']] != ITEM_APPROVED) && !$auth->acl_get('m_approve', $forum_id))
{
// Attachment of a soft deleted post and the user is not allowed to see the post
continue;
}
@ -412,12 +450,17 @@ else
unlink($archive_path);
if (!$files_added)
if (!$files_added && !empty($disallowed_extension))
{
// None of the attachments had a valid extension
$disallowed = implode($user->lang['COMMA_SEPARATOR'], $disallowed);
$disallowed_extension = implode($user->lang['COMMA_SEPARATOR'], $disallowed_extension);
send_status_line(404, 'Forbidden');
trigger_error($user->lang('EXTENSION_DISABLED_AFTER_POSTING', $disallowed));
trigger_error($user->lang('EXTENSION_DISABLED_AFTER_POSTING', $disallowed_extension));
}
else if (!$files_added)
{
send_status_line(403, 'Forbidden');
trigger_error('ERROR_NO_ATTACHMENT');
}
file_gc();