Subversion Repositories oidplus

Rev

Go to most recent revision | Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
310 daniel-mar 1 
<?php
2 
 
3 
/*
4 
 * OIDplus 2.0
5 
 * Copyright 2019 Daniel Marschall, ViaThinkSoft
6 
 *
7 
 * Licensed under the Apache License, Version 2.0 (the "License");
8 
 * you may not use this file except in compliance with the License.
9 
 * You may obtain a copy of the License at
10 
 *
11 
 *     http://www.apache.org/licenses/LICENSE-2.0
12 
 *
13 
 * Unless required by applicable law or agreed to in writing, software
14 
 * distributed under the License is distributed on an "AS IS" BASIS,
15 
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 
 * See the License for the specific language governing permissions and
17 
 * limitations under the License.
18 
 */
19 
 
20 
require_once __DIR__ . '/../../../includes/oidplus.inc.php';
21 
 
22 
OIDplus::init(true);
23 
 
24 
originHeaders();
25 
 
26 
if (!isset($_REQUEST['filename'])) {
27 
        http_response_code(400);
28 
        throw new Exception("<h1>Error</h1><p>Argument 'filename' is missing<p>");
29 
}
30 
$filename = $_REQUEST['filename'];
31 
if (strpos($filename, '/') !== false) throw new OIDplusException("Illegal file name");
32 
if (strpos($filename, '\\') !== false) throw new OIDplusException("Illegal file name");
33 
if (strpos($filename, '..') !== false) throw new OIDplusException("Illegal file name");
34 
if (strpos($filename, chr(0)) !== false) throw new OIDplusException("Illegal file name");
35 
 
36 
if (!isset($_REQUEST['id'])) {
37 
        http_response_code(400);
38 
        throw new Exception("<h1>Error</h1><p>Argument 'id' is missing<p>");
39 
}
40 
$id = $_REQUEST['id'];
41 
 
42 
$uploaddir = OIDplusPagePublicAttachments::getUploadDir($id);
43 
$local_file = $uploaddir.'/'.$filename;
44 
VtsBrowserDownload::output_file($local_file);