XMB Forum Software : /files.php source

[Summary view] [Print] [Text view]
   1  <?php
   2  /**
   3   * eXtreme Message Board
   4   * XMB 1.9.11
   5   *
   6   * Developed And Maintained By The XMB Group
   7   * Copyright (c) 2001-2010, The XMB Group
   8   * http://www.xmbforum.com
   9   *
  10   * Sponsored By iEntry, Inc.
  11   * http://www.ientry.com
  12   *
  13   * This program is free software; you can redistribute it and/or
  14   * modify it under the terms of the GNU General Public License
  15   * as published by the Free Software Foundation; either version 2
  16   * of the License, or (at your option) any later version.
  17   *
  18   * This program is distributed in the hope that it will be useful,
  19   * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  21   * GNU General Public License for more details.
  22   *
  23   * You should have received a copy of the GNU General Public License
  24   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  25   *
  26   **/
  27  
  28  define('X_SCRIPT', 'files.php');
  29  
  30  require  'header.php';
  31  
  32  header('X-Robots-Tag: nofollow');
  33  
  34  loadtemplates('');
  35  eval('$css = "'.template('css').'";');
  36  
  37  $aid = 0;
  38  $pid = 0;
  39  $filename = '';
  40  
  41  // Parse "Pretty" URLs
  42  switch(intval($SETTINGS['file_url_format'])) {
  43  case 1:
  44  //    $url = "{$virtual_path}files.php?pid=$pid&amp;aid=$aid";
  45      $aid = getInt('aid');
  46      $pid = getInt('pid');
  47      break;
  48  case 2:
  49  //    $url = "{$virtual_path}files/$pid/$aid/";
  50      $result = explode('/', $url);
  51      if ($result[count($result) - 4] == 'files') { // Remember count() is 1-based
  52          $pid = intval($result[count($result) - 3]);
  53          $aid = intval($result[count($result) - 2]);
  54      }
  55      break;
  56  case 3:
  57  //    $url = "{$virtual_path}files/$aid/".rawurlencode($filename);
  58      $result = explode('/', $url);
  59      if ($result[count($result) - 3] == 'files') {
  60          $aid = intval($result[count($result) - 2]);
  61          $filename = urldecode($result[count($result) - 1]);
  62      }
  63      break;
  64  case 4:
  65  //    $url = "{$virtual_path}/$pid/$aid/";
  66      $result = explode('/', $url);
  67      $pid = intval($result[count($result) - 3]);
  68      $aid = intval($result[count($result) - 2]);
  69      break;
  70  case 5:
  71  //    $url = "{$virtual_path}/$aid/".rawurlencode($filename);
  72      $result = explode('/', $url);
  73      $aid = intval($result[count($result) - 2]);
  74      $filename = urldecode($result[count($result) - 1]);
  75      break;
  76  default:
  77      $aid = getInt('aid');
  78      $pid = getInt('pid');
  79      break;
  80  }
  81  
  82  // Sanity Checks
  83  if ($aid <= 0 Or $pid < 0 Or ($pid == 0 And $filename == '' And $self['uid'] == 0)) {
  84      fileError();
  85  }
  86  
  87  // Retrieve attachment metadata
  88  if ($filename == '') {
  89      $where = "WHERE a.aid=$aid AND a.pid=$pid";
  90      if ($pid == 0 And !X_ADMIN) {
  91          $where .= " AND a.uid={$self['uid']}"; // Allow preview of own attachments when URL format requires a PID.
  92      }
  93  } else {
  94      $filename = $db->escape_var($filename);
  95      $where = "WHERE a.aid=$aid AND a.filename='$filename'";
  96  }
  97  $query = $db->query("SELECT a.*, UNIX_TIMESTAMP(a.updatetime) AS updatestamp, p.fid FROM ".X_PREFIX."attachments AS a LEFT JOIN ".X_PREFIX."posts AS p USING (pid) $where");
  98  if ($db->num_rows($query) != 1) {
  99      fileError();
 100  }
 101  $file = $db->fetch_array($query);
 102  $db->free_result($query);
 103  
 104  if ($pid > 0 Or $file['fid'] != '') {
 105      $forum = getForum($file['fid']);
 106  
 107      if (($forum['type'] != 'forum' && $forum['type'] != 'sub') || $forum['status'] != 'on' || ($forum['attachstatus'] != 'on' And !X_ADMIN)) {
 108          fileError();
 109      }
 110  
 111      // Check attachment permissions
 112      $perms = checkForumPermissions($forum);
 113      if (!$perms[X_PERMS_VIEW]) {
 114          if (X_GUEST) {
 115              redirect("{$full_url}misc.php?action=login", 0);
 116              exit;
 117          } else {
 118              error($lang['privforummsg']);
 119          }
 120      } else if (!$perms[X_PERMS_PASSWORD]) {
 121          handlePasswordDialog($forum['fid']);
 122      }
 123  
 124      $fup = array();
 125      if ($forum['type'] == 'sub') {
 126          $fup = getForum($forum['fup']);
 127          // prevent access to subforum when upper forum can't be viewed.
 128          $fupPerms = checkForumPermissions($fup);
 129          if (!$fupPerms[X_PERMS_VIEW]) {
 130              if (X_GUEST) {
 131                  redirect("{$full_url}misc.php?action=login", 0);
 132                  exit;
 133              } else {
 134                  error($lang['privforummsg']);
 135              }
 136          } else if (!$fupPerms[X_PERMS_PASSWORD]) {
 137              handlePasswordDialog($fup['fid']);
 138          }
 139          unset($fup);
 140      }
 141  }
 142  
 143  // Verify file is available
 144  $path = '';
 145  $size = 0;
 146  if ($file['subdir'] == '') {
 147      $size = strlen($file['attachment']);
 148  } else {
 149      $path = $SETTINGS['files_storage_path'];
 150      if (substr($path, -1) != '/') {
 151          $path .= '/';
 152      }
 153      $path = $path.$file['subdir'].'/'.$file['aid'];
 154      if (!is_file($path)) {
 155          header('HTTP/1.0 500 Internal Server Error');
 156          error($lang['filecorrupt']);
 157      }
 158      $size = intval(filesize($path));
 159  }
 160  if ($size != $file['filesize']) {
 161      header('HTTP/1.0 500 Internal Server Error');
 162      error($lang['filecorrupt']);
 163  }
 164  
 165  // Verify output stream is empty
 166  assertEmptyOutputStream('files.php');
 167  
 168  // Do not issue any errors below this line
 169  
 170  // Check If-Modified-Since request header
 171  // "If the requested variant has not been modified since the time specified in this field,
 172  // an entity will not be returned from the server; instead, a 304 (not modified) response
 173  // will be returned without any message-body."
 174  if ($_SERVER['REQUEST_METHOD'] == 'GET' And isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
 175      if (function_exists('date_default_timezone_set')) {
 176          date_default_timezone_set('UTC'); // Workaround for stupid PHP 5 problems.
 177      }
 178      if (strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) >= $file['updatestamp']) {
 179          header('HTTP/1.0 304 Not Modified');
 180          exit;
 181      }
 182  }
 183  
 184  // Increment hit counter
 185  $db->query("UPDATE ".X_PREFIX."attachments SET downloads=downloads+1 WHERE aid=$aid");
 186  
 187  // Set response headers
 188  if ($file['img_size'] == '') {
 189      $type = 'application/binary';
 190      $dispositionType = 'attachment';
 191  } else {
 192      $type = strtolower($file['filetype']);
 193      $dispositionType = 'inline';
 194  }
 195  
 196  header("Content-type: $type");
 197  header("Content-length: $size");
 198  header("Content-Disposition: {$dispositionType}; filename=\"{$file['filename']}\"");
 199  header("Content-Description: XMB Attachment");
 200  header("Cache-Control: public; max-age=604800");
 201  header("Expires: ".gmdate('D, d M Y H:i:s', time() + 604800)." GMT");
 202  header("Last-Modified: ".gmdate('D, d M Y H:i:s', $file['updatestamp'])." GMT");
 203  
 204  // Send the response entity
 205  if ($file['subdir'] == '') {
 206      echo $file['attachment'];
 207  } else {
 208      readfile($path);
 209  }
 210  exit();
 211  
 212  function fileError() {
 213      global $lang;
 214      header('HTTP/1.0 404 Not Found');
 215      error($lang['textnothread']);
 216  }
 217  ?>
XMB Open Source Forum Software - PHP Cross Reference

/ -> files.php (source)
