Subversion Repositories oidplus

Rev

Rev 1200 | Blame | Compare with Previous | Last modification | View Log | RSS feed

  1. <?php
  2.  
  3. /*
  4.  * OIDplus 2.0
  5.  * Copyright 2019 - 2021 Daniel Marschall, ViaThinkSoft
  6.  *
  7.  * Licensed under the Apache License, Version 2.0 (the "License");
  8.  * you may not use this file except in compliance with the License.
  9.  * You may obtain a copy of the License at
  10.  *
  11.  *     http://www.apache.org/licenses/LICENSE-2.0
  12.  *
  13.  * Unless required by applicable law or agreed to in writing, software
  14.  * distributed under the License is distributed on an "AS IS" BASIS,
  15.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16.  * See the License for the specific language governing permissions and
  17.  * limitations under the License.
  18.  */
  19.  
  20. use ViaThinkSoft\OIDplus\OIDplus;
  21. use ViaThinkSoft\OIDplus\OIDplusException;
  22. use ViaThinkSoft\OIDplus\OIDplusGui;
  23. use ViaThinkSoft\OIDplus\OIDplusPagePublicAttachments;
  24.  
  25. require_once __DIR__ . '/../../../../includes/oidplus.inc.php';
  26.  
  27. try {
  28.         set_exception_handler(array(OIDplusGui::class, 'html_exception_handler'));
  29.  
  30.         OIDplus::init(true);
  31.  
  32.         if (OIDplus::baseConfig()->getValue('DISABLE_PLUGIN_ViaThinkSoft\OIDplus\OIDplusPagePublicAttachments', false)) {
  33.                 throw new OIDplusException(_L('This plugin was disabled by the system administrator!'));
  34.         }
  35.  
  36.         originHeaders();
  37.  
  38.         if (!isset($_REQUEST['filename'])) {
  39.                 http_response_code(400);
  40.                 throw new OIDplusException(_L('Argument "%1" is missing','filename'));
  41.         }
  42.         $filename = $_REQUEST['filename'];
  43.         if (strpos($filename, '/') !== false) throw new OIDplusException(_L('Illegal file name'));
  44.         if (strpos($filename, '\\') !== false) throw new OIDplusException(_L('Illegal file name'));
  45.         if (strpos($filename, '..') !== false) throw new OIDplusException(_L('Illegal file name'));
  46.         if (strpos($filename, chr(0)) !== false) throw new OIDplusException(_L('Illegal file name'));
  47.  
  48.         if (!isset($_REQUEST['id'])) {
  49.                 http_response_code(400);
  50.                 throw new OIDplusException(_L('Argument "%1" is missing','id'));
  51.         }
  52.         $id = $_REQUEST['id'];
  53.  
  54.         $uploaddir = OIDplusPagePublicAttachments::getUploadDir($id);
  55.         $local_file = $uploaddir.'/'.$filename;
  56.  
  57.         if (!file_exists($local_file)) {
  58.                 http_response_code(404);
  59.                 throw new OIDplusException(_L('The file does not exist'));
  60.         }
  61.  
  62.         OIDplus::invoke_shutdown();
  63.  
  64.         VtsBrowserDownload::output_file($local_file);
  65. } catch (\Exception $e) {
  66.         $htmlmsg = $e instanceof OIDplusException ? $e->getHtmlMessage() : htmlentities($e->getMessage());
  67.         echo '<h1>'._L('Error').'</h1><p>'.$htmlmsg.'<p>';
  68. }
  69.