From dd069333244db94285b1619ba6be437484c19989 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= Date: Fri, 29 Jun 2018 18:00:11 +0200 Subject: [PATCH] [ticket/14285] Move downloads to controller PHPBB3-14285 --- .../default/container/services_storage.yml | 19 ++ phpBB/config/default/routing/routing.yml | 3 + phpBB/config/default/routing/storage.yml | 9 + phpBB/download/file.php | 316 ++---------------- phpBB/includes/functions_download.php | 77 ----- phpBB/phpbb/storage/controller/attachment.php | 237 +++++++++++++ phpBB/phpbb/storage/controller/avatar.php | 74 ++++ phpBB/phpbb/storage/controller/controller.php | 111 ++++++ 8 files changed, 479 insertions(+), 367 deletions(-) create mode 100644 phpBB/config/default/routing/storage.yml create mode 100644 phpBB/phpbb/storage/controller/attachment.php create mode 100644 phpBB/phpbb/storage/controller/avatar.php create mode 100644 phpBB/phpbb/storage/controller/controller.php diff --git a/phpBB/config/default/container/services_storage.yml b/phpBB/config/default/container/services_storage.yml index 92f31779e6..9577f52684 100644 --- a/phpBB/config/default/container/services_storage.yml +++ b/phpBB/config/default/container/services_storage.yml @@ -82,3 +82,22 @@ services: arguments: tags: - { name: storage.provider } + +# Controllers + storage.controller.avatar: + class: phpbb\storage\controller\avatar + arguments: + - '@config' + - '@storage.avatar' + + storage.controller.attachment: + class: phpbb\storage\controller\attachment + arguments: + - '@auth' + - '@cache' + - '@config' + - '@dbal.conn' + - '@dispatcher' + - '@request' + - '@storage.attachment' + - '@user' diff --git a/phpBB/config/default/routing/routing.yml b/phpBB/config/default/routing/routing.yml index a5e9265dc3..daf8ec7002 100644 --- a/phpBB/config/default/routing/routing.yml +++ b/phpBB/config/default/routing/routing.yml @@ -30,3 +30,6 @@ phpbb_report_routing: phpbb_ucp_routing: resource: ucp.yml prefix: /user + +phpbb_storage_routing: + resource: storage.yml diff --git a/phpBB/config/default/routing/storage.yml b/phpBB/config/default/routing/storage.yml new file mode 100644 index 0000000000..a793aa8a6f --- /dev/null +++ b/phpBB/config/default/routing/storage.yml @@ -0,0 +1,9 @@ +phpbb_storage_avatar: + path: /download/avatar/{file} + defaults: + _controller: storage.controller.avatar:handle + +phpbb_storage_attachment: + path: /download/attachment/{file} + defaults: + _controller: storage.controller.attachment:handle diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 6b0b577489..bca13ba45d 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -11,310 +11,46 @@ * */ +use Symfony\Component\HttpFoundation\RedirectResponse; + /** * @ignore */ define('IN_PHPBB', true); $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../'; $phpEx = substr(strrchr(__FILE__, '.'), 1); +include($phpbb_root_path . 'common.' . $phpEx); -// Thank you sun. -if (isset($_SERVER['CONTENT_TYPE'])) -{ - if ($_SERVER['CONTENT_TYPE'] === 'application/x-java-archive') - { - exit; - } -} -else if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'Java') !== false) -{ - exit; -} +// Start session management +$user->session_begin(); +$auth->acl($user->data); + +/** @var \phpbb\controller\helper $controller_helper */ +$controller_helper = $phpbb_container->get('controller.helper'); if (isset($_GET['avatar'])) { - require($phpbb_root_path . 'includes/startup.' . $phpEx); + $response = new RedirectResponse( + $controller_helper->route('phpbb_storage_avatar', array( + 'file' => $request->variable('avatar', ''), + )), + 301 + ); + $response->send(); - require($phpbb_root_path . 'phpbb/class_loader.' . $phpEx); - $phpbb_class_loader = new \phpbb\class_loader('phpbb\\', "{$phpbb_root_path}phpbb/", $phpEx); - $phpbb_class_loader->register(); - - $phpbb_config_php_file = new \phpbb\config_php_file($phpbb_root_path, $phpEx); - extract($phpbb_config_php_file->get_all()); - - if (!defined('PHPBB_ENVIRONMENT')) - { - @define('PHPBB_ENVIRONMENT', 'production'); - } - - if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type)) - { - exit; - } - - require($phpbb_root_path . 'includes/constants.' . $phpEx); - require($phpbb_root_path . 'includes/functions.' . $phpEx); - require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx); - require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx); - - // Setup class loader first - $phpbb_class_loader_ext = new \phpbb\class_loader('\\', "{$phpbb_root_path}ext/", $phpEx); - $phpbb_class_loader_ext->register(); - - // Set up container - $phpbb_container_builder = new \phpbb\di\container_builder($phpbb_root_path, $phpEx); - $phpbb_container = $phpbb_container_builder->with_config($phpbb_config_php_file)->get_container(); - - $phpbb_class_loader->set_cache($phpbb_container->get('cache.driver')); - $phpbb_class_loader_ext->set_cache($phpbb_container->get('cache.driver')); - - // set up caching - /* @var $cache \phpbb\cache\service */ - $cache = $phpbb_container->get('cache'); - - /* @var $phpbb_dispatcher \phpbb\event\dispatcher */ - $phpbb_dispatcher = $phpbb_container->get('dispatcher'); - - /* @var $request \phpbb\request\request_interface */ - $request = $phpbb_container->get('request'); - - /* @var $db \phpbb\db\driver\driver_interface */ - $db = $phpbb_container->get('dbal.conn'); - - /* @var $phpbb_log \phpbb\log\log_interface */ - $phpbb_log = $phpbb_container->get('log'); - - unset($dbpasswd); - - /* @var $config \phpbb\config\config */ - $config = $phpbb_container->get('config'); - - // load extensions - /* @var $phpbb_extension_manager \phpbb\extension\manager */ - $phpbb_extension_manager = $phpbb_container->get('ext.manager'); - - // worst-case default - $browser = strtolower($request->header('User-Agent', 'msie 6.0')); - - /* @var $phpbb_avatar_manager \phpbb\avatar\manager */ - $phpbb_avatar_manager = $phpbb_container->get('avatar.manager'); - - if (@is_file($phpbb_root_path . $config['exts_composer_vendor_dir'] . '/autoload.php')) - { - require_once($phpbb_root_path . $config['exts_composer_vendor_dir'] . '/autoload.php'); - } - - $filename = $request->variable('avatar', ''); - $avatar_group = false; - $exit = false; - - if (isset($filename[0]) && $filename[0] === 'g') - { - $avatar_group = true; - $filename = substr($filename, 1); - } - - // '==' is not a bug - . as the first char is as bad as no dot at all - if (strpos($filename, '.') == false) - { - send_status_line(403, 'Forbidden'); - $exit = true; - } - - if (!$exit) - { - $ext = substr(strrchr($filename, '.'), 1); - $stamp = (int) substr(stristr($filename, '_'), 1); - $filename = (int) $filename; - $exit = set_modified_headers($stamp, $browser); - } - if (!$exit && !in_array($ext, array('png', 'gif', 'jpg', 'jpeg'))) - { - // no way such an avatar could exist. They are not following the rules, stop the show. - send_status_line(403, 'Forbidden'); - $exit = true; - } - - - if (!$exit) - { - if (!$filename) - { - // no way such an avatar could exist. They are not following the rules, stop the show. - send_status_line(403, 'Forbidden'); - } - else - { - send_avatar_to_browser(($avatar_group ? 'g' : '') . $filename . '.' . $ext, $browser); - } - } - file_gc(); + exit; } -// implicit else: we are not in avatar mode -include($phpbb_root_path . 'common.' . $phpEx); -require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx); - $attach_id = $request->variable('id', 0); $mode = $request->variable('mode', ''); $thumbnail = $request->variable('t', false); -// Start session management, do not update session page. -$user->session_begin(false); -$auth->acl($user->data); -$user->setup('viewtopic'); - -$phpbb_content_visibility = $phpbb_container->get('content.visibility'); - -if (!$config['allow_attachments'] && !$config['allow_pm_attach']) -{ - send_status_line(404, 'Not Found'); - trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); -} - -if (!$attach_id) -{ - send_status_line(404, 'Not Found'); - trigger_error('NO_ATTACHMENT_SELECTED'); -} - -$sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, poster_id, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime - FROM ' . ATTACHMENTS_TABLE . " - WHERE attach_id = $attach_id"; -$result = $db->sql_query($sql); -$attachment = $db->sql_fetchrow($result); -$db->sql_freeresult($result); - -if (!$attachment) -{ - send_status_line(404, 'Not Found'); - trigger_error('ERROR_NO_ATTACHMENT'); -} -else if (!download_allowed()) -{ - send_status_line(403, 'Forbidden'); - trigger_error($user->lang['LINKAGE_FORBIDDEN']); -} -else -{ - $attachment['physical_filename'] = utf8_basename($attachment['physical_filename']); - - if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach']) - { - send_status_line(404, 'Not Found'); - trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); - } - - if ($attachment['is_orphan']) - { - // We allow admins having attachment permissions to see orphan attachments... - $own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false; - - if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download'))) - { - send_status_line(404, 'Not Found'); - trigger_error('ERROR_NO_ATTACHMENT'); - } - - // Obtain all extensions... - $extensions = $cache->obtain_attach_extensions(true); - } - else - { - if (!$attachment['in_message']) - { - phpbb_download_handle_forum_auth($db, $auth, $attachment['topic_id']); - - $sql = 'SELECT forum_id, post_visibility - FROM ' . POSTS_TABLE . ' - WHERE post_id = ' . (int) $attachment['post_msg_id']; - $result = $db->sql_query($sql); - $post_row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if (!$post_row || !$phpbb_content_visibility->is_visible('post', $post_row['forum_id'], $post_row)) - { - // Attachment of a soft deleted post and the user is not allowed to see the post - send_status_line(404, 'Not Found'); - trigger_error('ERROR_NO_ATTACHMENT'); - } - } - else - { - // Attachment is in a private message. - $post_row = array('forum_id' => false); - phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']); - } - - $extensions = array(); - if (!extension_allowed($post_row['forum_id'], $attachment['extension'], $extensions)) - { - send_status_line(403, 'Forbidden'); - trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension'])); - } - } - - $display_cat = $extensions[$attachment['extension']]['display_cat']; - - if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg')) - { - $display_cat = ATTACHMENT_CATEGORY_NONE; - } - - if ($thumbnail) - { - $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename']; - } - else if ($display_cat == ATTACHMENT_CATEGORY_NONE && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize'])) - { - // Update download count - phpbb_increment_downloads($db, $attachment['attach_id']); - } - - $redirect = ''; - - /** - * Event to modify data before sending file to browser - * - * @event core.download_file_send_to_browser_before - * @var int attach_id The attachment ID - * @var array attachment Array with attachment data - * @var int display_cat Attachment category - * @var array extensions Array with file extensions data - * @var string mode Download mode - * @var bool thumbnail Flag indicating if the file is a thumbnail - * @var string redirect Do a redirection instead of reading the file - * @since 3.1.6-RC1 - * @changed 3.1.7-RC1 Fixing wrong name of a variable (replacing "extension" by "extensions") - * @changed 3.3.0-a1 Add redirect variable - */ - $vars = array( - 'attach_id', - 'attachment', - 'display_cat', - 'extensions', - 'mode', - 'thumbnail', - 'redirect', - ); - extract($phpbb_dispatcher->trigger_event('core.download_file_send_to_browser_before', compact($vars))); - - if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && (strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7)) - { - wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']); - file_gc(); - } - else - { - if (!empty($redirect)) - { - redirect($redirect, false, true); - } - else - { - send_file_to_browser($attachment, $display_cat); - } - - file_gc(); - } -} +$response = new RedirectResponse( + $controller_helper->route('phpbb_storage_attachment', array( + 'file' => $attach_id, + 'mode' => $mode, + 't' => $thumbnail, + )), + 301 +); +$response->send(); diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index 3dcfb4cc98..bda01c2944 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -19,83 +19,6 @@ if (!defined('IN_PHPBB')) exit; } -/** -* A simplified function to deliver avatars -* The argument needs to be checked before calling this function. -*/ -function send_avatar_to_browser($file, $browser) -{ - global $config, $phpbb_container; - - $storage = $phpbb_container->get('storage.avatar'); - - $prefix = $config['avatar_salt'] . '_'; - $file_path = $prefix . $file; - - if ($storage->exists($file_path) && !headers_sent()) - { - $file_info = $storage->file_info($file_path); - - header('Cache-Control: public'); - - try - { - header('Content-Type: ' . $file_info->mimetype); - } - catch (\phpbb\storage\exception\exception $e) - { - // Just don't send this header - } - - if ((strpos(strtolower($browser), 'msie') !== false) && !phpbb_is_greater_ie_version($browser, 7)) - { - header('Content-Disposition: attachment; ' . header_filename($file)); - - if (strpos(strtolower($browser), 'msie 6.0') !== false) - { - header('Expires: ' . gmdate('D, d M Y H:i:s', time()) . ' GMT'); - } - else - { - header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 31536000) . ' GMT'); - } - } - else - { - header('Content-Disposition: inline; ' . header_filename($file)); - header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 31536000) . ' GMT'); - } - - try - { - header('Content-Length: ' . $file_info->size); - } - catch (\phpbb\storage\exception\exception $e) - { - // Just don't send this header - } - - try - { - $fp = $storage->read_stream($file_path); - $output = fopen('php://output', 'w+b'); - stream_copy_to_stream($fp, $output); - fclose($fp); - fclose($output); - } - catch (\Exception $e) - { - // Send nothing - } - - flush(); - } - else - { - header('HTTP/1.0 404 Not Found'); - } -} - /** * Wraps an url into a simple html page. Used to display attachments in IE. * this is a workaround for now; might be moved to template system later diff --git a/phpBB/phpbb/storage/controller/attachment.php b/phpBB/phpbb/storage/controller/attachment.php new file mode 100644 index 0000000000..ca03af096c --- /dev/null +++ b/phpBB/phpbb/storage/controller/attachment.php @@ -0,0 +1,237 @@ + + * @license GNU General Public License, version 2 (GPL-2.0) + * + * For full copyright and license information, please see + * the docs/CREDITS.txt file. + * + */ + +namespace phpbb\storage\controller; + +use phpbb\auth\auth; +use phpbb\cache\service; +use phpbb\config\config; +use phpbb\db\driver\driver_interface; +use phpbb\event\dispatcher; +use phpbb\request\request; +use phpbb\storage\storage; +use phpbb\user; + +class attachment extends controller +{ + /** @var auth */ + protected $auth; + + /** @var service */ + protected $cache; + + /** @var config */ + protected $config; + + /** @var driver_interface */ + protected $db; + + /** @var dispatcher */ + protected $phpbb_dispatcher; + + /** @var request */ + protected $request; + + /** @var storage */ + protected $storage; + + /** @var user */ + protected $user; + + public function __construct(auth $auth, service $cache, config $config, driver_interface $db, dispatcher $phpbb_dispatcher, request $request, storage $storage, user $user) + { + $this->auth = $auth; + $this->cache = $cache; + $this->config = $config; + $this->db = $db; + $this->phpbb_dispatcher = $phpbb_dispatcher; + $this->request = $request; + $this->storage = $storage; + $this->user = $user; + } + + public function handle($file) + { + global $phpbb_root_path, $phpEx, $phpbb_container; + require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx); + + $attach_id = $file; + $mode = $this->request->variable('mode', ''); + $thumbnail = $this->request->variable('t', false); + + // Start session management, do not update session page. + $this->user->session_begin(false); + $this->auth->acl($this->user->data); + $this->user->setup('viewtopic'); + + $phpbb_content_visibility = $phpbb_container->get('content.visibility'); + + if (!$this->config['allow_attachments'] && !$this->config['allow_pm_attach']) + { + send_status_line(404, 'Not Found'); + trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); + } + + if (!$attach_id) + { + send_status_line(404, 'Not Found'); + trigger_error('NO_ATTACHMENT_SELECTED'); + } + + $sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, poster_id, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime + FROM ' . ATTACHMENTS_TABLE . " + WHERE attach_id = $attach_id"; + $result = $this->db->sql_query($sql); + $attachment = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); + + if (!$attachment) + { + send_status_line(404, 'Not Found'); + trigger_error('ERROR_NO_ATTACHMENT'); + } + else if (!download_allowed()) + { + send_status_line(403, 'Forbidden'); + trigger_error($user->lang['LINKAGE_FORBIDDEN']); + } + else + { + $attachment['physical_filename'] = utf8_basename($attachment['physical_filename']); + + if (!$attachment['in_message'] && !$this->config['allow_attachments'] || $attachment['in_message'] && !$this->config['allow_pm_attach']) + { + send_status_line(404, 'Not Found'); + trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED'); + } + + if ($attachment['is_orphan']) + { + // We allow admins having attachment permissions to see orphan attachments... + $own_attachment = ($this->auth->acl_get('a_attach') || $attachment['poster_id'] == $this->user->data['user_id']) ? true : false; + + if (!$own_attachment || ($attachment['in_message'] && !$this->auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$this->auth->acl_get('u_download'))) + { + send_status_line(404, 'Not Found'); + trigger_error('ERROR_NO_ATTACHMENT'); + } + + // Obtain all extensions... + $extensions = $this->cache->obtain_attach_extensions(true); + } + else + { + if (!$attachment['in_message']) + { + phpbb_download_handle_forum_auth($this->db, $this->auth, $attachment['topic_id']); + + $sql = 'SELECT forum_id, post_visibility + FROM ' . POSTS_TABLE . ' + WHERE post_id = ' . (int) $attachment['post_msg_id']; + $result = $this->db->sql_query($sql); + $post_row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); + + if (!$post_row || !$phpbb_content_visibility->is_visible('post', $post_row['forum_id'], $post_row)) + { + // Attachment of a soft deleted post and the user is not allowed to see the post + send_status_line(404, 'Not Found'); + trigger_error('ERROR_NO_ATTACHMENT'); + } + } + else + { + // Attachment is in a private message. + $post_row = array('forum_id' => false); + phpbb_download_handle_pm_auth($this->db, $this->auth, $this->user->data['user_id'], $attachment['post_msg_id']); + } + + $extensions = array(); + if (!extension_allowed($post_row['forum_id'], $attachment['extension'], $extensions)) + { + send_status_line(403, 'Forbidden'); + trigger_error(sprintf($this->user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension'])); + } + } + + $display_cat = $extensions[$attachment['extension']]['display_cat']; + + if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$this->user->optionget('viewimg')) + { + $display_cat = ATTACHMENT_CATEGORY_NONE; + } + + if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$this->user->optionget('viewflash')) + { + $display_cat = ATTACHMENT_CATEGORY_NONE; + } + + if ($thumbnail) + { + $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename']; + } + else if ($display_cat == ATTACHMENT_CATEGORY_NONE && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize'])) + { + // Update download count + phpbb_increment_downloads($this->db, $attachment['attach_id']); + } + + $redirect = ''; + + /** + * Event to modify data before sending file to browser + * + * @event core.download_file_send_to_browser_before + * @var int attach_id The attachment ID + * @var array attachment Array with attachment data + * @var int display_cat Attachment category + * @var array extensions Array with file extensions data + * @var string mode Download mode + * @var bool thumbnail Flag indicating if the file is a thumbnail + * @var string redirect Do a redirection instead of reading the file + * @since 3.1.6-RC1 + * @changed 3.1.7-RC1 Fixing wrong name of a variable (replacing "extension" by "extensions") + * @changed 3.3.0-a1 Add redirect variable + */ + $vars = array( + 'attach_id', + 'attachment', + 'display_cat', + 'extensions', + 'mode', + 'thumbnail', + 'redirect', + ); + extract($this->phpbb_dispatcher->trigger_event('core.download_file_send_to_browser_before', compact($vars))); + + if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && (strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7)) + { + wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']); + file_gc(); + } + else + { + if (!empty($redirect)) + { + redirect($redirect, false, true); + } + else + { + send_file_to_browser($attachment, $display_cat); + } + + file_gc(); + } + } + } +} diff --git a/phpBB/phpbb/storage/controller/avatar.php b/phpBB/phpbb/storage/controller/avatar.php new file mode 100644 index 0000000000..1285f110d9 --- /dev/null +++ b/phpBB/phpbb/storage/controller/avatar.php @@ -0,0 +1,74 @@ + + * @license GNU General Public License, version 2 (GPL-2.0) + * + * For full copyright and license information, please see + * the docs/CREDITS.txt file. + * + */ + +namespace phpbb\storage\controller; + +use phpbb\config\config; +use phpbb\storage\storage; + +class avatar extends controller +{ + /** @var config */ + protected $config; + + protected $allowed_extensions = ['png', 'gif', 'jpg', 'jpeg']; + + public function __construct(config $config, storage $storage) + { + $this->config = $config; + $this->storage = $storage; + } + + public function handle($file) + { + $file = $this->decode_avatar_filename($file); + + parent::handle($file); + } + + protected function is_allowed($file) + { + $ext = substr(strrchr($file, '.'), 1); + + // If filename have point and have an allowed extension + return strpos($file, '.') && in_array($ext, $this->allowed_extensions); + } + + protected function decode_avatar_filename($file) + { + $avatar_group = false; + + if (isset($file[0]) && $file[0] === 'g') + { + $avatar_group = true; + $file = substr($file, 1); + } + + $ext = substr(strrchr($file, '.'), 1); + $file = (int) $file; + + return $this->config['avatar_salt'] . '_' . ($avatar_group ? 'g' : '') . $file . '.' . $ext; + } + + protected function send($file) + { + if (!headers_sent()) + { + header('Content-Disposition: inline; ' . header_filename($file)); + + header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 3600*24*365) . ' GMT'); + } + + parent::send($file); + } +} diff --git a/phpBB/phpbb/storage/controller/controller.php b/phpBB/phpbb/storage/controller/controller.php new file mode 100644 index 0000000000..e0da578b41 --- /dev/null +++ b/phpBB/phpbb/storage/controller/controller.php @@ -0,0 +1,111 @@ + + * @license GNU General Public License, version 2 (GPL-2.0) + * + * For full copyright and license information, please see + * the docs/CREDITS.txt file. + * + */ + +namespace phpbb\storage\controller; + +use phpbb\storage\storage; + +class controller +{ + /** @var storage */ + protected $storage; + + public function __construct(storage $storage) + { + $this->storage = $storage; + } + + public function handle($file) + { + if (!function_exists('file_gc')) + { + global $phpbb_root_path, $phpEx; + require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx); + } + + if (!$this->is_allowed($file)) + { + send_status_line(403, 'Forbidden'); + file_gc(); + exit; + } + + if (!$this->file_exists($file)) + { + send_status_line(404, 'Not Found'); + file_gc(); + exit; + } + + $this->send($file); + } + + protected function is_allowed($file) + { + return true; + } + + protected function file_exists($file) + { + return $this->storage->exists($file); + } + + protected function send($file) + { + if (!function_exists('file_gc')) + { + global $phpbb_root_path, $phpEx; + require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx); + } + + if (!headers_sent()) + { + header('Cache-Control: public'); + + $file_info = $this->storage->file_info($file); + + try + { + header('Content-Type: ' . $file_info->mimetype); + } + catch (\phpbb\storage\exception\exception $e) + { + // Just don't send this header + } + + try + { + header('Content-Length: ' . $file_info->size); + } + catch (\phpbb\storage\exception\exception $e) + { + // Just don't send this header + } + + $fp = $this->storage->read_stream($file); + + // Close db connection + file_gc(false); + + $output = fopen('php://output', 'w+b'); + + stream_copy_to_stream($fp, $output); + + fclose($fp); + fclose($output); + + // ?? + flush(); + } + } +}