Rev 310 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 310 | Rev 311 | ||
|---|---|---|---|
| Line 17... | Line 17... | ||
| 17 | * limitations under the License. |
17 | * limitations under the License. |
| 18 | */ |
18 | */ |
| 19 | 19 | ||
| 20 | require_once __DIR__ . '/../../../includes/oidplus.inc.php'; |
20 | require_once __DIR__ . '/../../../includes/oidplus.inc.php'; |
| 21 | 21 | ||
| - | 22 | try { |
|
| 22 | OIDplus::init(true); |
23 | OIDplus::init(true); |
| 23 | 24 | ||
| 24 | originHeaders(); |
25 | originHeaders(); |
| 25 | 26 | ||
| 26 | if (!isset($_REQUEST['filename'])) { |
27 | if (!isset($_REQUEST['filename'])) { |
| 27 | http_response_code(400); |
28 | http_response_code(400); |
| 28 | throw new Exception("<h1>Error</h1><p>Argument 'filename' is missing<p>"); |
29 | throw new Exception("Argument 'filename' is missing"); |
| 29 | } |
30 | } |
| 30 | $filename = $_REQUEST['filename']; |
31 | $filename = $_REQUEST['filename']; |
| 31 | if (strpos($filename, '/') !== false) throw new OIDplusException("Illegal file name"); |
32 | if (strpos($filename, '/') !== false) throw new OIDplusException("Illegal file name"); |
| 32 | if (strpos($filename, '\\') !== false) throw new OIDplusException("Illegal file name"); |
33 | if (strpos($filename, '\\') !== false) throw new OIDplusException("Illegal file name"); |
| 33 | if (strpos($filename, '..') !== false) throw new OIDplusException("Illegal file name"); |
34 | if (strpos($filename, '..') !== false) throw new OIDplusException("Illegal file name"); |
| 34 | if (strpos($filename, chr(0)) !== false) throw new OIDplusException("Illegal file name"); |
35 | if (strpos($filename, chr(0)) !== false) throw new OIDplusException("Illegal file name"); |
| 35 | 36 | ||
| 36 | if (!isset($_REQUEST['id'])) { |
37 | if (!isset($_REQUEST['id'])) { |
| 37 | http_response_code(400); |
38 | http_response_code(400); |
| 38 | throw new Exception("<h1>Error</h1><p>Argument 'id' is missing<p>"); |
39 | throw new Exception("Argument 'id' is missing"); |
| 39 | } |
40 | } |
| 40 | $id = $_REQUEST['id']; |
41 | $id = $_REQUEST['id']; |
| 41 | 42 | ||
| 42 | $uploaddir = OIDplusPagePublicAttachments::getUploadDir($id); |
43 | $uploaddir = OIDplusPagePublicAttachments::getUploadDir($id); |
| 43 | $local_file = $uploaddir.'/'.$filename; |
44 | $local_file = $uploaddir.'/'.$filename; |
| - | 45 | ||
| - | 46 | if (!file_exists($local_file)) { |
|
| - | 47 | http_response_code(404); |
|
| - | 48 | throw new Exception("The file does not exist"); |
|
| - | 49 | } |
|
| - | 50 | ||
| 44 | VtsBrowserDownload::output_file($local_file); |
51 | VtsBrowserDownload::output_file($local_file); |
| - | 52 | } catch (Exception $e) { |
|
| - | 53 | echo "<h1>Error</h1><p>".htmlentities($e->getMessage())."<p>"; |
|
| - | 54 | } |
|
| - | 55 | ||