Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
getfile.php: improve download; fix validation of file name; better ac…
…cess checking git-svn-id: https://xerteonlinetoolkits.googlecode.com/svn/trunk@458 912cdd6b-5c7d-d5a7-a2ba-d0f0cdb91641
- Loading branch information
Dave Goodwin
committed
Oct 29, 2012
1 parent
929f3a3
commit 4a4c037
Showing
1 changed file
with
28 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,55 +1,41 @@ | ||
<?php | ||
|
||
require_once(dirname(__FILE__) . "/config.php"); | ||
|
||
require $xerte_toolkits_site->php_library_path . "user_library.php"; | ||
require $xerte_toolkits_site->php_library_path . "template_library.php"; | ||
require $xerte_toolkits_site->php_library_path . "template_status.php"; | ||
|
||
/* | ||
* Check the template ID is numeric | ||
*/ | ||
|
||
// for security, the file name should only contain alpha numeric chars or - _ . | ||
// We definitely do not want a file path to contain a directory separator like ../ else this could be open to abuse. | ||
$safe_file_path = preg_replace('/[^a-z0-9\-_\.]/i', '', $_GET['file']); | ||
|
||
$data_from_file_name = explode("-",$safe_file_path); | ||
|
||
if(is_numeric($data_from_file_name[0])){ | ||
|
||
if(has_rights_to_this_template($data_from_file_name[0],$_SESSION['toolkits_logon_id'])){ | ||
|
||
/* | ||
* Check if user is editor (could be read only) | ||
*/ | ||
|
||
if(is_user_an_editor($data_from_file_name[0],$_SESSION['toolkits_logon_id'])){ | ||
|
||
if($data_from_file_name[1]==$_SESSION['toolkits_logon_username']){ | ||
// be slightly paranoid over the path the user is requesting to download. | ||
$unsafe_file_path = $_GET['file']; | ||
if(!preg_match('/^([0-9]+)-([a-z0-9]+)-/', $unsafe_file_path, $matches)) { | ||
die("path must start with a number, and then a username - e.g. 20-foobar-"); | ||
} | ||
|
||
$file = $xerte_toolkits_site->users_file_area_full . str_replace("media","/media/",$safe_file_path); | ||
|
||
header("Cache-Control: public"); | ||
header("Content-Description: File Transfer"); | ||
header("Content-Disposition: attachment; filename=$file"); | ||
header("Content-Transfer-Encoding: binary"); | ||
$template_id = $matches[1]; | ||
$username = $matches[2]; | ||
|
||
readfile($file); | ||
$has_perms = is_user_admin() || has_rights_to_this_template($template_id,$_SESSION['toolkits_logon_id']); | ||
|
||
if($has_perms) { | ||
if(is_user_an_editor($template_id,$_SESSION['toolkits_logon_id'])){ | ||
if($username == $_SESSION['toolkits_logon_username']) { | ||
// they're logged in, and hopefully have access to the media contents. | ||
$file = dirname(__FILE__) . '/USER-FILES/' . $unsafe_file_path; | ||
if(!is_file($file)) { | ||
die("Fail: file not found on disk"); | ||
} | ||
|
||
$filename = addslashes(basename($file)); | ||
|
||
header("Cache-Control: public"); | ||
header("Content-Length: " . filesize($file)); | ||
header("Content-Description: File Transfer"); | ||
header("Content-Type: application/force-download"); | ||
header("Content-Disposition: attachment; filename=\"$filename\""); | ||
header("Content-Transfer-Encoding: binary"); | ||
flush(); | ||
readfile($file); | ||
exit(0); | ||
} | ||
|
||
|
||
} | ||
|
||
}else{ | ||
|
||
/* | ||
* Was not numeric, so display error message | ||
*/ | ||
|
||
echo file_get_contents($xerte_toolkits_site->website_code_path . "error_top") . " Sorry this resource does not exist </div></div></body></html>"; | ||
die(); | ||
} | ||
|
||
echo "You do not appear to have permission to view this resource."; |