Rev 310 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 310 | Rev 311 | ||
---|---|---|---|
Line 17... | Line 17... | ||
17 | * limitations under the License. |
17 | * limitations under the License. |
18 | */ |
18 | */ |
19 | 19 | ||
20 | require_once __DIR__ . '/../../../includes/oidplus.inc.php'; |
20 | require_once __DIR__ . '/../../../includes/oidplus.inc.php'; |
21 | 21 | ||
- | 22 | try { |
|
22 | OIDplus::init(true); |
23 | OIDplus::init(true); |
23 | 24 | ||
24 | originHeaders(); |
25 | originHeaders(); |
25 | 26 | ||
26 | if (!isset($_REQUEST['filename'])) { |
27 | if (!isset($_REQUEST['filename'])) { |
27 | http_response_code(400); |
28 | http_response_code(400); |
28 | throw new Exception("<h1>Error</h1><p>Argument 'filename' is missing<p>"); |
29 | throw new Exception("Argument 'filename' is missing"); |
29 | } |
30 | } |
30 | $filename = $_REQUEST['filename']; |
31 | $filename = $_REQUEST['filename']; |
31 | if (strpos($filename, '/') !== false) throw new OIDplusException("Illegal file name"); |
32 | if (strpos($filename, '/') !== false) throw new OIDplusException("Illegal file name"); |
32 | if (strpos($filename, '\\') !== false) throw new OIDplusException("Illegal file name"); |
33 | if (strpos($filename, '\\') !== false) throw new OIDplusException("Illegal file name"); |
33 | if (strpos($filename, '..') !== false) throw new OIDplusException("Illegal file name"); |
34 | if (strpos($filename, '..') !== false) throw new OIDplusException("Illegal file name"); |
34 | if (strpos($filename, chr(0)) !== false) throw new OIDplusException("Illegal file name"); |
35 | if (strpos($filename, chr(0)) !== false) throw new OIDplusException("Illegal file name"); |
35 | 36 | ||
36 | if (!isset($_REQUEST['id'])) { |
37 | if (!isset($_REQUEST['id'])) { |
37 | http_response_code(400); |
38 | http_response_code(400); |
38 | throw new Exception("<h1>Error</h1><p>Argument 'id' is missing<p>"); |
39 | throw new Exception("Argument 'id' is missing"); |
39 | } |
40 | } |
40 | $id = $_REQUEST['id']; |
41 | $id = $_REQUEST['id']; |
41 | 42 | ||
42 | $uploaddir = OIDplusPagePublicAttachments::getUploadDir($id); |
43 | $uploaddir = OIDplusPagePublicAttachments::getUploadDir($id); |
43 | $local_file = $uploaddir.'/'.$filename; |
44 | $local_file = $uploaddir.'/'.$filename; |
- | 45 | ||
- | 46 | if (!file_exists($local_file)) { |
|
- | 47 | http_response_code(404); |
|
- | 48 | throw new Exception("The file does not exist"); |
|
- | 49 | } |
|
- | 50 | ||
44 | VtsBrowserDownload::output_file($local_file); |
51 | VtsBrowserDownload::output_file($local_file); |
- | 52 | } catch (Exception $e) { |
|
- | 53 | echo "<h1>Error</h1><p>".htmlentities($e->getMessage())."<p>"; |
|
- | 54 | } |
|
- | 55 |