You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
470 lines
12 KiB
470 lines
12 KiB
<?php
|
|
/***************************************************************************
|
|
* download.php
|
|
* -------------------
|
|
* begin : Monday, Apr 1, 2002
|
|
* copyright : (C) 2002 Meik Sievertsen
|
|
* email : acyd.burn@gmx.de
|
|
*
|
|
* $Id: download.php,v 1.9 2005/01/04 15:04:11 saraj Exp $
|
|
*
|
|
*
|
|
***************************************************************************/
|
|
|
|
/***************************************************************************
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
***************************************************************************/
|
|
|
|
if ( defined('IN_PHPBB') )
|
|
{
|
|
die('Hacking attempt');
|
|
exit;
|
|
}
|
|
|
|
define('IN_PHPBB', true);
|
|
$phpbb_root_path = 'modules/MessageBoard/';
|
|
include($phpbb_root_path . 'extension.inc');
|
|
include($phpbb_root_path . 'common.'.$phpEx);
|
|
|
|
//
|
|
// Delete the / * to uncomment the block, and edit the values (read the comments) to
|
|
// enable additional security to your board (preventing third site linkage)
|
|
//
|
|
/*
|
|
define('ALLOWED_DENIED', 0);
|
|
define('DENIED_ALLOWED', 1);
|
|
|
|
//
|
|
// From this line on you are able to edit the stuff
|
|
//
|
|
|
|
// Possible Values:
|
|
// ALLOWED_DENIED <- First allow the listed sites, and then deny all others
|
|
// DENIED_ALLOWED <- First deny the listed sites, and then allow all others
|
|
$allow_deny_order = ALLOWED_DENIED;
|
|
|
|
//
|
|
// Allowed Syntax:
|
|
// Full Domain Name -> www.opentools.de
|
|
// Partial Domain Names -> opentools.de
|
|
//
|
|
$sites = array(
|
|
$board_config['server_name'], // This is your domain
|
|
'opentools.de',
|
|
'phpbb.com',
|
|
'phpbbhacks.com',
|
|
'phpbb.de'
|
|
);
|
|
|
|
// This is the message displayed, if someone links to this site...
|
|
$lang['Denied_Message'] = 'You are not authorized to view, download or link to this Site.';
|
|
|
|
// End of editable area
|
|
|
|
//
|
|
// Parse the order and evaluate the array
|
|
//
|
|
|
|
$site = explode('?', $HTTP_SERVER_VARS['HTTP_REFERER']);
|
|
$url = trim($site[0]);
|
|
//$url = $HTTP_HOST;
|
|
|
|
if ($url != '')
|
|
{
|
|
$allowed = ($allow_deny_order == ALLOWED_DENIED) ? FALSE : TRUE;
|
|
|
|
for ($i = 0; $i < count($sites); $i++)
|
|
{
|
|
if (strstr($url, $sites[$i]))
|
|
{
|
|
$allowed = ($allow_deny_order == ALLOWED_DENIED) ? TRUE : FALSE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$allowed = TRUE;
|
|
}
|
|
|
|
if ($allowed == FALSE)
|
|
{
|
|
message_die(GENERAL_MESSAGE, $lang['Denied_Message']);
|
|
}
|
|
|
|
// Delete the following line, to uncomment this block
|
|
*/
|
|
|
|
if( isset($HTTP_POST_VARS['id']) || isset($HTTP_GET_VARS['id']) )
|
|
{
|
|
$download_id = ( isset($HTTP_POST_VARS['id']) ) ? intval($HTTP_POST_VARS['id']) : intval($HTTP_GET_VARS['id']);
|
|
}
|
|
else
|
|
{
|
|
$download_id = -1;
|
|
}
|
|
|
|
if( isset($HTTP_POST_VARS['thumb']) || isset($HTTP_GET_VARS['thumb']) )
|
|
{
|
|
$thumbnail = ( isset($HTTP_POST_VARS['thumb']) ) ? intval($HTTP_POST_VARS['thumb']) : intval($HTTP_GET_VARS['thumb']);
|
|
}
|
|
else
|
|
{
|
|
$thumbnail = FALSE;
|
|
}
|
|
|
|
// Send file to browser
|
|
function send_file_to_browser($attachment, $upload_dir)
|
|
{
|
|
global $_SERVER, $HTTP_USER_AGENT, $HTTP_SERVER_VARS, $lang, $db, $attach_config;
|
|
|
|
$filename = ($upload_dir == '') ? $attachment['physical_filename'] : $upload_dir . '/' . $attachment['physical_filename'];
|
|
|
|
$gotit = FALSE;
|
|
|
|
if (!intval($attach_config['allow_ftp_upload']))
|
|
{
|
|
if (@!file_exists(@amod_realpath($filename)))
|
|
{
|
|
message_die(GENERAL_ERROR, $lang['Error_no_attachment'] . "<br /><br /><b>404 File Not Found:</b> The File <i>" . $filename . "</i> does not exist.");
|
|
}
|
|
else
|
|
{
|
|
$gotit = TRUE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Determine the Browser the User is using, because of some nasty incompatibilities.
|
|
// Most of the methods used in this function are from phpMyAdmin. :)
|
|
//
|
|
if (!empty($_SERVER['HTTP_USER_AGENT']))
|
|
{
|
|
$HTTP_USER_AGENT = $_SERVER['HTTP_USER_AGENT'];
|
|
}
|
|
else if (!empty($HTTP_SERVER_VARS['HTTP_USER_AGENT']))
|
|
{
|
|
$HTTP_USER_AGENT = $HTTP_SERVER_VARS['HTTP_USER_AGENT'];
|
|
}
|
|
else if (!isset($HTTP_USER_AGENT))
|
|
{
|
|
$HTTP_USER_AGENT = '';
|
|
}
|
|
|
|
if (ereg('Opera(/| )([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version))
|
|
{
|
|
$browser_version = $log_version[2];
|
|
$browser_agent = 'opera';
|
|
}
|
|
else if (ereg('MSIE ([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version))
|
|
{
|
|
$browser_version = $log_version[1];
|
|
$browser_agent = 'ie';
|
|
}
|
|
else if (ereg('OmniWeb/([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version))
|
|
{
|
|
$browser_version = $log_version[1];
|
|
$browser_agent = 'omniweb';
|
|
}
|
|
else if (ereg('Netscape([0-9]{1})', $HTTP_USER_AGENT, $log_version))
|
|
{
|
|
$browser_version = $log_version[1];
|
|
$browser_agent = 'netscape';
|
|
}
|
|
else if (ereg('Mozilla/([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version))
|
|
{
|
|
$browser_version = $log_version[1];
|
|
$browser_agent = 'mozilla';
|
|
}
|
|
else if (ereg('Konqueror/([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version))
|
|
{
|
|
$browser_version = $log_version[1];
|
|
$browser_agent = 'konqueror';
|
|
}
|
|
else
|
|
{
|
|
$browser_version = 0;
|
|
$browser_agent = 'other';
|
|
}
|
|
|
|
// Correct the mime type - we force application/octetstream for all files, except images
|
|
// Please do not change this, it is a security precaution
|
|
if (!strstr($attachment['mimetype'], 'image'))
|
|
{
|
|
$attachment['mimetype'] = ($browser_agent == 'ie' || $browser_agent == 'opera') ? 'application/octetstream' : 'application/octet-stream';
|
|
}
|
|
|
|
// Now the tricky part... let's dance
|
|
@ob_end_clean();
|
|
@ini_set('zlib.output_compression', 'Off');
|
|
ob_start();
|
|
header('Pragma: public');
|
|
header('Content-Transfer-Encoding: none');
|
|
|
|
// Send out the Headers
|
|
header('Content-Type: ' . $attachment['mimetype'] . '; name="' . $attachment['real_filename'] . '"');
|
|
header('Content-Disposition: inline; filename="' . $attachment['real_filename'] . '"');
|
|
//
|
|
// Now send the File Contents to the Browser
|
|
//
|
|
if ($gotit)
|
|
{
|
|
$size = @filesize($filename);
|
|
if ($size)
|
|
{
|
|
header("Content-length: $size");
|
|
ob_end_clean();
|
|
}
|
|
readfile($filename);
|
|
}
|
|
else if (!$gotit && intval($attach_config['allow_ftp_upload']))
|
|
{
|
|
$conn_id = attach_init_ftp();
|
|
|
|
$ini_val = ( @phpversion() >= '4.0.0' ) ? 'ini_get' : 'get_cfg_var';
|
|
|
|
$tmp_path = ( !@$ini_val('safe_mode') ) ? '/tmp' : $upload_dir . '/tmp';
|
|
$tmp_filename = @tempnam($tmp_path, 't0000');
|
|
|
|
@unlink($tmp_filename);
|
|
|
|
$mode = FTP_BINARY;
|
|
if ( (preg_match("/text/i", $attachment['mimetype'])) || (preg_match("/html/i", $attachment['mimetype'])) )
|
|
{
|
|
$mode = FTP_ASCII;
|
|
}
|
|
|
|
$result = @ftp_get($conn_id, $tmp_filename, $filename, $mode);
|
|
|
|
if (!$result)
|
|
{
|
|
message_die(GENERAL_ERROR, $lang['Error_no_attachment'] . "<br /><br /><b>404 File Not Found:</b> The File <i>" . $filename . "</i> does not exist.");
|
|
}
|
|
|
|
@ftp_quit($conn_id);
|
|
|
|
$size = @filesize($tmp_filename);
|
|
if ($size)
|
|
{
|
|
header("Content-length: $size");
|
|
}
|
|
readfile($tmp_filename);
|
|
@unlink($tmp_filename);
|
|
}
|
|
else
|
|
{
|
|
message_die(GENERAL_ERROR, $lang['Error_no_attachment'] . "<br /><br /><b>404 File Not Found:</b> The File <i>" . $filename . "</i> does not exist.");
|
|
}
|
|
|
|
exit;
|
|
}
|
|
//
|
|
// End Functions
|
|
//
|
|
|
|
//
|
|
// Start Session Management
|
|
//
|
|
$userdata = session_pagestart($user_ip, PAGE_INDEX);
|
|
init_userprefs($userdata);
|
|
|
|
if ($download_id == -1)
|
|
{
|
|
message_die(GENERAL_ERROR, $lang['No_attachment_selected']);
|
|
}
|
|
|
|
if ((intval($attach_config['disable_mod']) == 1) && ($userdata['user_level'] != ADMIN))
|
|
{
|
|
message_die(GENERAL_MESSAGE, $lang['Attachment_feature_disabled']);
|
|
}
|
|
|
|
$sql = 'SELECT *
|
|
FROM ' . ATTACHMENTS_DESC_TABLE . '
|
|
WHERE attach_id = ' . intval($download_id);
|
|
|
|
if ( !($result = $db->sql_query($sql)) )
|
|
{
|
|
message_die(GENERAL_ERROR, 'Could not query attachment informations', '', __LINE__, __FILE__, $sql);
|
|
}
|
|
|
|
if ($db->sql_numrows($result) == 0)
|
|
{
|
|
message_die(GENERAL_MESSAGE, $lang['Error_no_attachment']);
|
|
}
|
|
|
|
$attachment = $db->sql_fetchrow($result);
|
|
|
|
//
|
|
// get forum_id for attachment authorization or private message authorization
|
|
//
|
|
$authorised = FALSE;
|
|
|
|
$sql = 'SELECT *
|
|
FROM ' . ATTACHMENTS_TABLE . '
|
|
WHERE attach_id = ' . $attachment['attach_id'];
|
|
|
|
if ( !($result = $db->sql_query($sql)) )
|
|
{
|
|
message_die(GENERAL_ERROR, 'Could not query attachment informations', '', __LINE__, __FILE__, $sql);
|
|
}
|
|
|
|
$auth_pages = $db->sql_fetchrowset($result);
|
|
$num_auth_pages = $db->sql_numrows($result);
|
|
|
|
for ($i = 0; $i < $num_auth_pages && $authorised == FALSE; $i++)
|
|
{
|
|
if (intval($auth_pages[$i]['post_id']) != 0)
|
|
{
|
|
$sql = 'SELECT forum_id
|
|
FROM ' . POSTS_TABLE . '
|
|
WHERE post_id = ' . $auth_pages[$i]['post_id'];
|
|
|
|
if ( !($result = $db->sql_query($sql)) )
|
|
{
|
|
message_die(GENERAL_ERROR, 'Could not query post information', '', __LINE__, __FILE__, $sql);
|
|
}
|
|
|
|
$row = $db->sql_fetchrow($result);
|
|
|
|
$forum_id = $row['forum_id'];
|
|
|
|
$is_auth = array();
|
|
$is_auth = auth(AUTH_ALL, $forum_id, $userdata);
|
|
|
|
if ($is_auth['auth_download'])
|
|
{
|
|
$authorised = TRUE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if ( (intval($attach_config['allow_pm_attach'])) && ( ($userdata['user_id'] == $auth_pages[$i]['user_id_2']) || ($userdata['user_id'] == $auth_pages[$i]['user_id_1']) ) || ($userdata['user_level'] == ADMIN) )
|
|
{
|
|
$authorised = TRUE;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if (!$authorised)
|
|
{
|
|
message_die(GENERAL_MESSAGE, $lang['Sorry_auth_view_attach']);
|
|
}
|
|
|
|
//
|
|
// Get Information on currently allowed Extensions
|
|
//
|
|
$sql = "SELECT e.extension, g.download_mode
|
|
FROM " . EXTENSION_GROUPS_TABLE . " g, " . EXTENSIONS_TABLE . " e
|
|
WHERE (g.allow_group = 1) AND (g.group_id = e.group_id)";
|
|
|
|
if ( !($result = $db->sql_query($sql)) )
|
|
{
|
|
message_die(GENERAL_ERROR, 'Could not query Allowed Extensions.', '', __LINE__, __FILE__, $sql);
|
|
}
|
|
|
|
$rows = $db->sql_fetchrowset($result);
|
|
$num_rows = $db->sql_numrows($result);
|
|
|
|
for ($i = 0; $i < $num_rows; $i++)
|
|
{
|
|
$extension = strtolower(trim($rows[$i]['extension']));
|
|
$allowed_extensions[] = $extension;
|
|
$download_mode[$extension] = $rows[$i]['download_mode'];
|
|
}
|
|
|
|
//
|
|
// disallowed ?
|
|
//
|
|
if ( (!in_array($attachment['extension'], $allowed_extensions)) && ($userdata['user_level'] != ADMIN) )
|
|
{
|
|
message_die(GENERAL_MESSAGE, sprintf($lang['Extension_disabled_after_posting'], $attachment['extension']));
|
|
}
|
|
|
|
$download_mode = intval($download_mode[$attachment['extension']]);
|
|
|
|
if ($thumbnail)
|
|
{
|
|
$attachment['physical_filename'] = THUMB_DIR . '/t_' . $attachment['physical_filename'];
|
|
}
|
|
|
|
//
|
|
// Update download count
|
|
//
|
|
if (!$thumbnail)
|
|
{
|
|
$sql = 'UPDATE ' . ATTACHMENTS_DESC_TABLE . '
|
|
SET download_count = download_count + 1
|
|
WHERE attach_id = ' . $attachment['attach_id'];
|
|
|
|
if (!$db->sql_query($sql))
|
|
{
|
|
message_die(GENERAL_ERROR, 'Couldn\'t update attachment download count', '', __LINE__, __FILE__, $sql);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Determine the 'presenting'-method
|
|
//
|
|
if ($download_mode == PHYSICAL_LINK)
|
|
{
|
|
$server_protocol = ($board_config['cookie_secure']) ? 'https://' : 'http://';
|
|
$server_name = preg_replace('/^\/?(.*?)\/?$/', '\1', trim($board_config['server_name']));
|
|
$server_port = ($board_config['server_port'] <> 80) ? ':' . trim($board_config['server_port']) : '';
|
|
$script_name = preg_replace('/^\/?(.*?)\/?$/', '/\1', trim($board_config['script_path']));
|
|
|
|
if ($script_name[strlen($script_name)] != '/')
|
|
{
|
|
$script_name .= '/';
|
|
}
|
|
|
|
if (intval($attach_config['allow_ftp_upload']))
|
|
{
|
|
if (trim($attach_config['download_path']) == '')
|
|
{
|
|
message_die(GENERAL_ERROR, 'Physical Download not possible with the current Attachment Setting');
|
|
}
|
|
|
|
$url = trim($attach_config['download_path']) . '/' . $attachment['physical_filename'];
|
|
$redirect_path = $url;
|
|
}
|
|
else
|
|
{
|
|
$url = $upload_dir . '/' . $attachment['physical_filename'];
|
|
// $url = preg_replace('/^\/?(.*?\/)?$/', '\1', trim($url));
|
|
$redirect_path = $server_protocol . $server_name . $server_port . $script_name . $url;
|
|
}
|
|
|
|
// Redirect via an HTML form for PITA webservers
|
|
if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')))
|
|
{
|
|
header('Refresh: 0; URL=' . $redirect_path);
|
|
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><meta http-equiv="refresh" content="0; url=' . $redirect_path . '"><title>Redirect</title></head><body><div align="center">If your browser does not support meta redirection please click <a href="' . $redirect_path . '">HERE</a> to be redirected</div></body></html>';
|
|
exit;
|
|
}
|
|
|
|
// Behave as per HTTP/1.1 spec for others
|
|
header('Location: ' . $redirect_path);
|
|
exit;
|
|
}
|
|
else
|
|
{
|
|
if (intval($attach_config['allow_ftp_upload']))
|
|
{
|
|
// We do not need a download path, we are not downloading physically
|
|
send_file_to_browser($attachment, '');
|
|
exit;
|
|
}
|
|
else
|
|
{
|
|
send_file_to_browser($attachment, $upload_dir);
|
|
exit;
|
|
}
|
|
}
|
|
|
|
?>
|
|
|