mirror of
https://github.com/phpbb/phpbb.git
synced 2025-02-24 20:13:22 +01:00
af5b9a9640
Closing tags converted using Oleg's script. remove-php-end-tags.py -a . Trailing newlines added using the following where $ext is file extension. find . -type f -name "*.$ext" -print | xargs printf "e %s\nw\n" | ed -s; Extensions: php, css, html, js, xml. PHPBB3-9556
312 lines
8.3 KiB
PHP
312 lines
8.3 KiB
PHP
<?php
|
|
/**
|
|
*
|
|
* @package phpBB3
|
|
* @version $Id$
|
|
* @copyright (c) 2005 phpBB Group
|
|
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* @ignore
|
|
*/
|
|
define('IN_PHPBB', true);
|
|
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
|
|
$phpEx = substr(strrchr(__FILE__, '.'), 1);
|
|
|
|
|
|
// Thank you sun.
|
|
if (isset($_SERVER['CONTENT_TYPE']))
|
|
{
|
|
if ($_SERVER['CONTENT_TYPE'] === 'application/x-java-archive')
|
|
{
|
|
exit;
|
|
}
|
|
}
|
|
else if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'Java') !== false)
|
|
{
|
|
exit;
|
|
}
|
|
|
|
if (isset($_GET['avatar']))
|
|
{
|
|
if (!defined('E_DEPRECATED'))
|
|
{
|
|
define('E_DEPRECATED', 8192);
|
|
}
|
|
error_reporting(E_ALL ^ E_NOTICE ^ E_DEPRECATED);
|
|
|
|
require($phpbb_root_path . 'config.' . $phpEx);
|
|
|
|
if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type))
|
|
{
|
|
exit;
|
|
}
|
|
|
|
require($phpbb_root_path . 'includes/acm/acm_' . $acm_type . '.' . $phpEx);
|
|
require($phpbb_root_path . 'includes/cache.' . $phpEx);
|
|
require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
|
|
require($phpbb_root_path . 'includes/constants.' . $phpEx);
|
|
require($phpbb_root_path . 'includes/functions.' . $phpEx);
|
|
require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
|
|
|
|
$db = new $sql_db();
|
|
$cache = new cache();
|
|
|
|
// Connect to DB
|
|
if (!@$db->sql_connect($dbhost, $dbuser, $dbpasswd, $dbname, $dbport, false, false))
|
|
{
|
|
exit;
|
|
}
|
|
unset($dbpasswd);
|
|
|
|
// worst-case default
|
|
$browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0';
|
|
|
|
$config = $cache->obtain_config();
|
|
$filename = $_GET['avatar'];
|
|
$avatar_group = false;
|
|
$exit = false;
|
|
|
|
if (isset($filename[0]) && $filename[0] === 'g')
|
|
{
|
|
$avatar_group = true;
|
|
$filename = substr($filename, 1);
|
|
}
|
|
|
|
// '==' is not a bug - . as the first char is as bad as no dot at all
|
|
if (strpos($filename, '.') == false)
|
|
{
|
|
send_status_line(403, 'Forbidden');
|
|
$exit = true;
|
|
}
|
|
|
|
if (!$exit)
|
|
{
|
|
$ext = substr(strrchr($filename, '.'), 1);
|
|
$stamp = (int) substr(stristr($filename, '_'), 1);
|
|
$filename = (int) $filename;
|
|
$exit = set_modified_headers($stamp, $browser);
|
|
}
|
|
if (!$exit && !in_array($ext, array('png', 'gif', 'jpg', 'jpeg')))
|
|
{
|
|
// no way such an avatar could exist. They are not following the rules, stop the show.
|
|
send_status_line(403, 'Forbidden');
|
|
$exit = true;
|
|
}
|
|
|
|
|
|
if (!$exit)
|
|
{
|
|
if (!$filename)
|
|
{
|
|
// no way such an avatar could exist. They are not following the rules, stop the show.
|
|
send_status_line(403, 'Forbidden');
|
|
}
|
|
else
|
|
{
|
|
send_avatar_to_browser(($avatar_group ? 'g' : '') . $filename . '.' . $ext, $browser);
|
|
}
|
|
}
|
|
file_gc();
|
|
}
|
|
|
|
// implicit else: we are not in avatar mode
|
|
include($phpbb_root_path . 'common.' . $phpEx);
|
|
require($phpbb_root_path . 'includes/functions_download' . '.' . $phpEx);
|
|
|
|
$download_id = request_var('id', 0);
|
|
$mode = request_var('mode', '');
|
|
$thumbnail = request_var('t', false);
|
|
|
|
// Start session management, do not update session page.
|
|
$user->session_begin(false);
|
|
$auth->acl($user->data);
|
|
$user->setup('viewtopic');
|
|
|
|
if (!$download_id)
|
|
{
|
|
trigger_error('NO_ATTACHMENT_SELECTED');
|
|
}
|
|
|
|
if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
|
|
{
|
|
trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
|
|
}
|
|
|
|
$sql = 'SELECT attach_id, in_message, post_msg_id, extension, is_orphan, poster_id, filetime
|
|
FROM ' . ATTACHMENTS_TABLE . "
|
|
WHERE attach_id = $download_id";
|
|
$result = $db->sql_query_limit($sql, 1);
|
|
$attachment = $db->sql_fetchrow($result);
|
|
$db->sql_freeresult($result);
|
|
|
|
if (!$attachment)
|
|
{
|
|
trigger_error('ERROR_NO_ATTACHMENT');
|
|
}
|
|
|
|
if ((!$attachment['in_message'] && !$config['allow_attachments']) || ($attachment['in_message'] && !$config['allow_pm_attach']))
|
|
{
|
|
trigger_error('ATTACHMENT_FUNCTIONALITY_DISABLED');
|
|
}
|
|
|
|
$row = array();
|
|
|
|
if ($attachment['is_orphan'])
|
|
{
|
|
// We allow admins having attachment permissions to see orphan attachments...
|
|
$own_attachment = ($auth->acl_get('a_attach') || $attachment['poster_id'] == $user->data['user_id']) ? true : false;
|
|
|
|
if (!$own_attachment || ($attachment['in_message'] && !$auth->acl_get('u_pm_download')) || (!$attachment['in_message'] && !$auth->acl_get('u_download')))
|
|
{
|
|
trigger_error('ERROR_NO_ATTACHMENT');
|
|
}
|
|
|
|
// Obtain all extensions...
|
|
$extensions = $cache->obtain_attach_extensions(true);
|
|
}
|
|
else
|
|
{
|
|
if (!$attachment['in_message'])
|
|
{
|
|
//
|
|
$sql = 'SELECT p.forum_id, f.forum_password, f.parent_id
|
|
FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f
|
|
WHERE p.post_id = ' . $attachment['post_msg_id'] . '
|
|
AND p.forum_id = f.forum_id';
|
|
$result = $db->sql_query_limit($sql, 1);
|
|
$row = $db->sql_fetchrow($result);
|
|
$db->sql_freeresult($result);
|
|
|
|
// Global announcement?
|
|
$f_download = (!$row) ? $auth->acl_getf_global('f_download') : $auth->acl_get('f_download', $row['forum_id']);
|
|
|
|
if ($auth->acl_get('u_download') && $f_download)
|
|
{
|
|
if ($row && $row['forum_password'])
|
|
{
|
|
// Do something else ... ?
|
|
login_forum_box($row);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
trigger_error('SORRY_AUTH_VIEW_ATTACH');
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$row['forum_id'] = false;
|
|
if (!$auth->acl_get('u_pm_download'))
|
|
{
|
|
send_status_line(403, 'Forbidden');
|
|
trigger_error('SORRY_AUTH_VIEW_ATTACH');
|
|
}
|
|
|
|
// Check if the attachment is within the users scope...
|
|
$sql = 'SELECT user_id, author_id
|
|
FROM ' . PRIVMSGS_TO_TABLE . '
|
|
WHERE msg_id = ' . $attachment['post_msg_id'];
|
|
$result = $db->sql_query($sql);
|
|
|
|
$allowed = false;
|
|
while ($user_row = $db->sql_fetchrow($result))
|
|
{
|
|
if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id'])
|
|
{
|
|
$allowed = true;
|
|
break;
|
|
}
|
|
}
|
|
$db->sql_freeresult($result);
|
|
|
|
if (!$allowed)
|
|
{
|
|
send_status_line(403, 'Forbidden');
|
|
trigger_error('ERROR_NO_ATTACHMENT');
|
|
}
|
|
}
|
|
|
|
// disallowed?
|
|
$extensions = array();
|
|
if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))
|
|
{
|
|
trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
|
|
}
|
|
}
|
|
|
|
if (!download_allowed())
|
|
{
|
|
send_status_line(403, 'Forbidden');
|
|
trigger_error($user->lang['LINKAGE_FORBIDDEN']);
|
|
}
|
|
|
|
$download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
|
|
|
|
// Fetching filename here to prevent sniffing of filename
|
|
$sql = 'SELECT attach_id, is_orphan, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype, filesize, filetime
|
|
FROM ' . ATTACHMENTS_TABLE . "
|
|
WHERE attach_id = $download_id";
|
|
$result = $db->sql_query_limit($sql, 1);
|
|
$attachment = $db->sql_fetchrow($result);
|
|
$db->sql_freeresult($result);
|
|
|
|
if (!$attachment)
|
|
{
|
|
trigger_error('ERROR_NO_ATTACHMENT');
|
|
}
|
|
|
|
$attachment['physical_filename'] = utf8_basename($attachment['physical_filename']);
|
|
$display_cat = $extensions[$attachment['extension']]['display_cat'];
|
|
|
|
if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))
|
|
{
|
|
$display_cat = ATTACHMENT_CATEGORY_NONE;
|
|
}
|
|
|
|
if ($display_cat == ATTACHMENT_CATEGORY_FLASH && !$user->optionget('viewflash'))
|
|
{
|
|
$display_cat = ATTACHMENT_CATEGORY_NONE;
|
|
}
|
|
|
|
if ($thumbnail)
|
|
{
|
|
$attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
|
|
}
|
|
else if (($display_cat == ATTACHMENT_CATEGORY_NONE/* || $display_cat == ATTACHMENT_CATEGORY_IMAGE*/) && !$attachment['is_orphan'] && !phpbb_http_byte_range($attachment['filesize']))
|
|
{
|
|
// Update download count
|
|
$sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
|
|
SET download_count = download_count + 1
|
|
WHERE attach_id = ' . $attachment['attach_id'];
|
|
$db->sql_query($sql);
|
|
}
|
|
|
|
if ($display_cat == ATTACHMENT_CATEGORY_IMAGE && $mode === 'view' && (strpos($attachment['mimetype'], 'image') === 0) && ((strpos(strtolower($user->browser), 'msie') !== false) && (strpos(strtolower($user->browser), 'msie 8.0') === false)))
|
|
{
|
|
wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);
|
|
file_gc();
|
|
}
|
|
else
|
|
{
|
|
// Determine the 'presenting'-method
|
|
if ($download_mode == PHYSICAL_LINK)
|
|
{
|
|
// This presenting method should no longer be used
|
|
if (!@is_dir($phpbb_root_path . $config['upload_path']))
|
|
{
|
|
trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
|
|
}
|
|
|
|
redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);
|
|
file_gc();
|
|
}
|
|
else
|
|
{
|
|
send_file_to_browser($attachment, $config['upload_path'], $display_cat);
|
|
file_gc();
|
|
}
|
|
}
|