Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
0.00% |
0 / 180 |
|
0.00% |
0 / 9 |
CRAP | |
0.00% |
0 / 1 |
attachment | |
0.00% |
0 / 180 |
|
0.00% |
0 / 9 |
5700 | |
0.00% |
0 / 1 |
__construct | |
0.00% |
0 / 8 |
|
0.00% |
0 / 1 |
2 | |||
handle_attachment | |
0.00% |
0 / 85 |
|
0.00% |
0 / 1 |
1122 | |||
filenameFallback | |
0.00% |
0 / 2 |
|
0.00% |
0 / 1 |
6 | |||
prepare | |
0.00% |
0 / 2 |
|
0.00% |
0 / 1 |
2 | |||
phpbb_download_handle_forum_auth | |
0.00% |
0 / 19 |
|
0.00% |
0 / 1 |
56 | |||
phpbb_download_handle_pm_auth | |
0.00% |
0 / 7 |
|
0.00% |
0 / 1 |
12 | |||
phpbb_download_check_pm_auth | |
0.00% |
0 / 11 |
|
0.00% |
0 / 1 |
2 | |||
phpbb_increment_downloads | |
0.00% |
0 / 3 |
|
0.00% |
0 / 1 |
2 | |||
download_allowed | |
0.00% |
0 / 43 |
|
0.00% |
0 / 1 |
702 |
1 | <?php |
2 | /** |
3 | * |
4 | * This file is part of the phpBB Forum Software package. |
5 | * |
6 | * @copyright (c) phpBB Limited <https://www.phpbb.com> |
7 | * @license GNU General Public License, version 2 (GPL-2.0) |
8 | * |
9 | * For full copyright and license information, please see |
10 | * the docs/CREDITS.txt file. |
11 | * |
12 | */ |
13 | |
14 | namespace phpbb\storage\controller; |
15 | |
16 | use phpbb\attachment\attachment_category; |
17 | use phpbb\auth\auth; |
18 | use phpbb\cache\service; |
19 | use phpbb\config\config; |
20 | use phpbb\content_visibility; |
21 | use phpbb\db\driver\driver_interface; |
22 | use phpbb\event\dispatcher_interface; |
23 | use phpbb\exception\http_exception; |
24 | use phpbb\language\language; |
25 | use phpbb\request\request; |
26 | use phpbb\storage\storage; |
27 | use phpbb\user; |
28 | use Symfony\Component\HttpFoundation\Request as symfony_request; |
29 | use Symfony\Component\HttpFoundation\RedirectResponse; |
30 | use Symfony\Component\HttpFoundation\Response; |
31 | use Symfony\Component\HttpFoundation\ResponseHeaderBag; |
32 | use Symfony\Component\HttpFoundation\StreamedResponse; |
33 | |
34 | /** |
35 | * Controller for /download/attachment/{id} routes |
36 | */ |
37 | class attachment extends controller |
38 | { |
39 | /** @var auth */ |
40 | protected $auth; |
41 | |
42 | /** @var config */ |
43 | protected $config; |
44 | |
45 | /** @var content_visibility */ |
46 | protected $content_visibility; |
47 | |
48 | /** @var dispatcher_interface */ |
49 | protected $dispatcher; |
50 | |
51 | /** @var language */ |
52 | protected $language; |
53 | |
54 | /** @var request */ |
55 | protected $request; |
56 | |
57 | /** @var user */ |
58 | protected $user; |
59 | |
60 | /** |
61 | * Constructor |
62 | * |
63 | * @param auth $auth |
64 | * @param service $cache |
65 | * @param config $config |
66 | * @param content_visibility $content_visibility |
67 | * @param driver_interface $db |
68 | * @param dispatcher_interface $dispatcher |
69 | * @param language $language |
70 | * @param request $request |
71 | * @param storage $storage |
72 | * @param symfony_request $symfony_request |
73 | * @param user $user |
74 | */ |
75 | public function __construct(auth $auth, service $cache, config $config, content_visibility $content_visibility, driver_interface $db, dispatcher_interface $dispatcher, language $language, request $request, storage $storage, symfony_request $symfony_request, user $user) |
76 | { |
77 | parent::__construct($cache, $db, $storage, $symfony_request); |
78 | |
79 | $this->auth = $auth; |
80 | $this->config = $config; |
81 | $this->content_visibility = $content_visibility; |
82 | $this->dispatcher = $dispatcher; |
83 | $this->language = $language; |
84 | $this->request = $request; |
85 | $this->user = $user; |
86 | } |
87 | |
88 | /** |
89 | * Handle attachments |
90 | * |
91 | * @param int $id File ID |
92 | * @param string $filename Filename |
93 | */ |
94 | public function handle_attachment(int $id, string $filename): Response |
95 | { |
96 | $attach_id = $id; |
97 | $thumbnail = $this->request->variable('t', false); |
98 | |
99 | $this->language->add_lang('viewtopic'); |
100 | |
101 | if (!$this->config['allow_attachments'] && !$this->config['allow_pm_attach']) |
102 | { |
103 | throw new http_exception(404, 'ATTACHMENT_FUNCTIONALITY_DISABLED'); |
104 | } |
105 | |
106 | if (!$attach_id) |
107 | { |
108 | throw new http_exception(404, 'NO_ATTACHMENT_SELECTED'); |
109 | } |
110 | |
111 | $sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, poster_id, |
112 | is_orphan, physical_filename, real_filename, extension, mimetype, |
113 | filesize, filetime |
114 | FROM ' . ATTACHMENTS_TABLE . " |
115 | WHERE attach_id = $attach_id" . |
116 | (($filename) ? " AND real_filename = '" . $this->db->sql_escape($filename) . "'" : ''); |
117 | $result = $this->db->sql_query($sql); |
118 | $attachment = $this->db->sql_fetchrow($result); |
119 | $this->db->sql_freeresult($result); |
120 | |
121 | if (!$attachment) |
122 | { |
123 | throw new http_exception(404, 'ERROR_NO_ATTACHMENT'); |
124 | } |
125 | else if (!$this->download_allowed()) |
126 | { |
127 | throw new http_exception(403, 'LINKAGE_FORBIDDEN'); |
128 | } |
129 | |
130 | $attachment['physical_filename'] = utf8_basename($attachment['physical_filename']); |
131 | |
132 | if ((!$attachment['in_message'] && !$this->config['allow_attachments']) || |
133 | ($attachment['in_message'] && !$this->config['allow_pm_attach'])) |
134 | { |
135 | throw new http_exception(404, 'ATTACHMENT_FUNCTIONALITY_DISABLED'); |
136 | } |
137 | |
138 | if ($attachment['is_orphan']) |
139 | { |
140 | // We allow admins having attachment permissions to see orphan attachments... |
141 | $own_attachment = $this->auth->acl_get('a_attach') || $attachment['poster_id'] == $this->user->data['user_id']; |
142 | |
143 | if (!$own_attachment || ($attachment['in_message'] && !$this->auth->acl_get('u_pm_download')) || |
144 | (!$attachment['in_message'] && !$this->auth->acl_get('u_download'))) |
145 | { |
146 | throw new http_exception(404, 'ERROR_NO_ATTACHMENT'); |
147 | } |
148 | |
149 | // Obtain all extensions... |
150 | $extensions = $this->cache->obtain_attach_extensions(true); |
151 | } |
152 | else |
153 | { |
154 | if (!$attachment['in_message']) |
155 | { |
156 | $this->phpbb_download_handle_forum_auth($attachment['topic_id']); |
157 | |
158 | $sql = 'SELECT forum_id, poster_id, post_visibility |
159 | FROM ' . POSTS_TABLE . ' |
160 | WHERE post_id = ' . (int) $attachment['post_msg_id']; |
161 | $result = $this->db->sql_query($sql); |
162 | $post_row = $this->db->sql_fetchrow($result); |
163 | $this->db->sql_freeresult($result); |
164 | |
165 | if (!$post_row || !$this->content_visibility->is_visible('post', $post_row['forum_id'], $post_row)) |
166 | { |
167 | // Attachment of a soft deleted post and the user is not allowed to see the post |
168 | throw new http_exception(404, 'ERROR_NO_ATTACHMENT'); |
169 | } |
170 | } |
171 | else |
172 | { |
173 | // Attachment is in a private message. |
174 | $post_row = array('forum_id' => false); |
175 | $this->phpbb_download_handle_pm_auth( $attachment['post_msg_id']); |
176 | } |
177 | |
178 | $extensions = array(); |
179 | if (!extension_allowed($post_row['forum_id'], $attachment['extension'], $extensions)) |
180 | { |
181 | throw new http_exception(403, 'EXTENSION_DISABLED_AFTER_POSTING', [$attachment['extension']]); |
182 | } |
183 | } |
184 | |
185 | $display_cat = $extensions[$attachment['extension']]['display_cat']; |
186 | |
187 | if ($thumbnail) |
188 | { |
189 | $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename']; |
190 | } |
191 | else if ($display_cat == attachment_category::NONE && !$attachment['is_orphan']) |
192 | { |
193 | if (!(($display_cat == attachment_category::IMAGE || $display_cat == attachment_category::THUMB) && !$this->user->optionget('viewimg'))) |
194 | { |
195 | // Update download count |
196 | $this->phpbb_increment_downloads($attachment['attach_id']); |
197 | } |
198 | } |
199 | |
200 | $redirect = ''; |
201 | |
202 | /** |
203 | * Event to modify data before sending file to browser |
204 | * |
205 | * @event core.download_file_send_to_browser_before |
206 | * @var int attach_id The attachment ID |
207 | * @var array attachment Array with attachment data |
208 | * @var array extensions Array with file extensions data |
209 | * @var bool thumbnail Flag indicating if the file is a thumbnail |
210 | * @var string redirect Do a redirection instead of reading the file |
211 | * @since 3.1.6-RC1 |
212 | * @changed 3.1.7-RC1 Fixing wrong name of a variable (replacing "extension" by "extensions") |
213 | * @changed 3.3.0-a1 Add redirect variable |
214 | * @changed 3.3.0-a1 Remove display_cat variable |
215 | * @changed 3.3.0-a1 Remove mode variable |
216 | */ |
217 | $vars = array( |
218 | 'attach_id', |
219 | 'attachment', |
220 | 'extensions', |
221 | 'thumbnail', |
222 | 'redirect', |
223 | ); |
224 | extract($this->dispatcher->trigger_event('core.download_file_send_to_browser_before', compact($vars))); |
225 | |
226 | // If the redirect variable have been overwritten, do redirect there |
227 | if (!empty($redirect)) |
228 | { |
229 | return new RedirectResponse($redirect); |
230 | } |
231 | |
232 | // Check if the file exists in the storage table too |
233 | if (!$this->storage->exists($attachment['physical_filename'])) |
234 | { |
235 | throw new http_exception(404, 'ERROR_NO_ATTACHMENT'); |
236 | } |
237 | |
238 | /** |
239 | * Event to alter attachment before it is sent to browser. |
240 | * |
241 | * @event core.send_file_to_browser_before |
242 | * @var array attachment Attachment data |
243 | * @since 3.1.11-RC1 |
244 | * @changed 3.3.0-a1 Removed category variable |
245 | * @changed 3.3.0-a1 Removed size variable |
246 | * @changed 3.3.0-a1 Removed filename variable |
247 | */ |
248 | $vars = array( |
249 | 'attachment', |
250 | ); |
251 | extract($this->dispatcher->trigger_event('core.send_file_to_browser_before', compact($vars))); |
252 | |
253 | // TODO: The next lines should go better in prepare, also the mimetype is handled by the storage table |
254 | // so probably can be removed |
255 | |
256 | $response = new StreamedResponse(); |
257 | |
258 | // Content-type header |
259 | $response->headers->set('Content-Type', $attachment['mimetype']); |
260 | |
261 | // Display file types in browser and force download for others |
262 | if (strpos($attachment['mimetype'], 'image') !== false |
263 | || strpos($attachment['mimetype'], 'audio') !== false |
264 | || strpos($attachment['mimetype'], 'video') !== false |
265 | ) |
266 | { |
267 | $disposition = $response->headers->makeDisposition( |
268 | ResponseHeaderBag::DISPOSITION_INLINE, |
269 | $attachment['real_filename'], |
270 | $this->filenameFallback($attachment['real_filename']) |
271 | ); |
272 | } |
273 | else |
274 | { |
275 | $disposition = $response->headers->makeDisposition( |
276 | ResponseHeaderBag::DISPOSITION_ATTACHMENT, |
277 | $attachment['real_filename'], |
278 | $this->filenameFallback($attachment['real_filename']) |
279 | ); |
280 | } |
281 | |
282 | $response->headers->set('Content-Disposition', $disposition); |
283 | |
284 | // Set expires header for browser cache |
285 | $time = new \DateTime(); |
286 | $response->setExpires($time->modify('+1 year')); |
287 | |
288 | return parent::handle($attachment['physical_filename']); |
289 | } |
290 | |
291 | /** |
292 | * Remove non valid characters https://github.com/symfony/http-foundation/commit/c7df9082ee7205548a97031683bc6550b5dc9551 |
293 | */ |
294 | protected function filenameFallback($filename) |
295 | { |
296 | $filename = preg_replace(['/[^\x20-\x7e]/', '/%/', '/\//', '/\\\\/'], '', $filename); |
297 | |
298 | return (!empty($filename)) ?: 'File'; |
299 | } |
300 | |
301 | /** |
302 | * {@inheritdoc} |
303 | */ |
304 | protected function prepare(StreamedResponse $response, string $file): void |
305 | { |
306 | $response->setPrivate(); // By default should be private, but make sure of it |
307 | |
308 | parent::prepare($response, $file); |
309 | } |
310 | |
311 | /** |
312 | * Handles authentication when downloading attachments from a post or topic |
313 | * |
314 | * @param int $topic_id The id of the topic that we are downloading from |
315 | * |
316 | * @return void |
317 | * @throws http_exception If attachment is not found |
318 | * If user don't have permission to download the attachment |
319 | */ |
320 | protected function phpbb_download_handle_forum_auth(int $topic_id): void |
321 | { |
322 | $sql_array = [ |
323 | 'SELECT' => 't.forum_id, t.topic_poster, t.topic_visibility, f.forum_name, f.forum_password, f.parent_id', |
324 | 'FROM' => [ |
325 | TOPICS_TABLE => 't', |
326 | FORUMS_TABLE => 'f', |
327 | ], |
328 | 'WHERE' => 't.topic_id = ' . (int) $topic_id . ' |
329 | AND t.forum_id = f.forum_id', |
330 | ]; |
331 | |
332 | $sql = $this->db->sql_build_query('SELECT', $sql_array); |
333 | $result = $this->db->sql_query($sql); |
334 | $row = $this->db->sql_fetchrow($result); |
335 | $this->db->sql_freeresult($result); |
336 | |
337 | if ($row && !$this->content_visibility->is_visible('topic', $row['forum_id'], $row)) |
338 | { |
339 | throw new http_exception(404, 'ERROR_NO_ATTACHMENT'); |
340 | } |
341 | else if ($row && $this->auth->acl_get('u_download') && $this->auth->acl_get('f_download', $row['forum_id'])) |
342 | { |
343 | if ($row['forum_password']) |
344 | { |
345 | // Do something else ... ? |
346 | login_forum_box($row); |
347 | } |
348 | } |
349 | else |
350 | { |
351 | throw new http_exception(403, 'SORRY_AUTH_VIEW_ATTACH'); |
352 | } |
353 | } |
354 | |
355 | /** |
356 | * Handles authentication when downloading attachments from PMs |
357 | * |
358 | * @param int $msg_id The id of the PM that we are downloading from |
359 | * |
360 | * @return void |
361 | * @throws http_exception If attachment is not found |
362 | */ |
363 | protected function phpbb_download_handle_pm_auth(int $msg_id): void |
364 | { |
365 | if (!$this->auth->acl_get('u_pm_download')) |
366 | { |
367 | throw new http_exception(403, 'SORRY_AUTH_VIEW_ATTACH'); |
368 | } |
369 | |
370 | $allowed = $this->phpbb_download_check_pm_auth($msg_id); |
371 | |
372 | /** |
373 | * Event to modify PM attachments download auth |
374 | * |
375 | * @event core.modify_pm_attach_download_auth |
376 | * @var bool allowed Whether the user is allowed to download from that PM or not |
377 | * @var int msg_id The id of the PM to download from |
378 | * @var int user_id The user id for auth check |
379 | * @since 3.1.11-RC1 |
380 | */ |
381 | $vars = array('allowed', 'msg_id', 'user_id'); |
382 | extract($this->dispatcher->trigger_event('core.modify_pm_attach_download_auth', compact($vars))); |
383 | |
384 | if (!$allowed) |
385 | { |
386 | throw new http_exception(403, 'ERROR_NO_ATTACHMENT'); |
387 | } |
388 | } |
389 | |
390 | /** |
391 | * Checks whether a user can download from a particular PM |
392 | * |
393 | * @param int $msg_id The id of the PM that we are downloading from |
394 | * |
395 | * @return bool Whether the user is allowed to download from that PM or not |
396 | */ |
397 | protected function phpbb_download_check_pm_auth(int $msg_id): bool |
398 | { |
399 | $user_id = $this->user->data['user_id']; |
400 | |
401 | // Check if the attachment is within the users scope... |
402 | $sql = 'SELECT msg_id |
403 | FROM ' . PRIVMSGS_TO_TABLE . ' |
404 | WHERE msg_id = ' . (int) $msg_id . ' |
405 | AND ( |
406 | user_id = ' . (int) $user_id . ' |
407 | OR author_id = ' . (int) $user_id . ' |
408 | )'; |
409 | $result = $this->db->sql_query_limit($sql, 1); |
410 | $allowed = (bool) $this->db->sql_fetchfield('msg_id'); |
411 | $this->db->sql_freeresult($result); |
412 | |
413 | return $allowed; |
414 | } |
415 | |
416 | /** |
417 | * Increments the download count of all provided attachments |
418 | * |
419 | * @param int $id The attach_id of the attachment |
420 | * |
421 | * @return void |
422 | */ |
423 | protected function phpbb_increment_downloads(int $id): void |
424 | { |
425 | $sql = 'UPDATE ' . ATTACHMENTS_TABLE . ' |
426 | SET download_count = download_count + 1 |
427 | WHERE attach_id = ' . $id; |
428 | $this->db->sql_query($sql); |
429 | } |
430 | |
431 | /** |
432 | * Check if downloading item is allowed |
433 | * FIXME (See: https://tracker.phpbb.com/browse/PHPBB3-15264 and http://area51.phpbb.com/phpBB/viewtopic.php?f=81&t=51921) |
434 | */ |
435 | protected function download_allowed(): bool |
436 | { |
437 | if (!$this->config['secure_downloads']) |
438 | { |
439 | return true; |
440 | } |
441 | |
442 | $url = htmlspecialchars_decode($this->request->header('Referer')); |
443 | |
444 | if (!$url) |
445 | { |
446 | return ($this->config['secure_allow_empty_referer']) ? true : false; |
447 | } |
448 | |
449 | // Split URL into domain and script part |
450 | $url = @parse_url($url); |
451 | |
452 | if ($url === false) |
453 | { |
454 | return ($this->config['secure_allow_empty_referer']) ? true : false; |
455 | } |
456 | |
457 | $hostname = $url['host']; |
458 | unset($url); |
459 | |
460 | $allowed = ($this->config['secure_allow_deny']) ? false : true; |
461 | $iplist = array(); |
462 | |
463 | if (($ip_ary = @gethostbynamel($hostname)) !== false) |
464 | { |
465 | foreach ($ip_ary as $ip) |
466 | { |
467 | if ($ip) |
468 | { |
469 | $iplist[] = $ip; |
470 | } |
471 | } |
472 | } |
473 | |
474 | // Check for own server... |
475 | $server_name = $this->user->host; |
476 | |
477 | // Forcing server vars is the only way to specify/override the protocol |
478 | if ($this->config['force_server_vars'] || !$server_name) |
479 | { |
480 | $server_name = $this->config['server_name']; |
481 | } |
482 | |
483 | if (preg_match('#^.*?' . preg_quote($server_name, '#') . '.*?$#i', $hostname)) |
484 | { |
485 | $allowed = true; |
486 | } |
487 | |
488 | // Get IP's and Hostnames |
489 | if (!$allowed) |
490 | { |
491 | $sql = 'SELECT site_ip, site_hostname, ip_exclude |
492 | FROM ' . SITELIST_TABLE; |
493 | $result = $this->db->sql_query($sql); |
494 | |
495 | while ($row = $this->db->sql_fetchrow($result)) |
496 | { |
497 | $site_ip = trim($row['site_ip']); |
498 | $site_hostname = trim($row['site_hostname']); |
499 | |
500 | if ($site_ip) |
501 | { |
502 | foreach ($iplist as $ip) |
503 | { |
504 | if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_ip, '#')) . '$#i', $ip)) |
505 | { |
506 | if ($row['ip_exclude']) |
507 | { |
508 | $allowed = ($this->config['secure_allow_deny']) ? false : true; |
509 | break 2; |
510 | } |
511 | else |
512 | { |
513 | $allowed = ($this->config['secure_allow_deny']) ? true : false; |
514 | } |
515 | } |
516 | } |
517 | } |
518 | |
519 | if ($site_hostname) |
520 | { |
521 | if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($site_hostname, '#')) . '$#i', $hostname)) |
522 | { |
523 | if ($row['ip_exclude']) |
524 | { |
525 | $allowed = ($this->config['secure_allow_deny']) ? false : true; |
526 | break; |
527 | } |
528 | else |
529 | { |
530 | $allowed = ($this->config['secure_allow_deny']) ? true : false; |
531 | } |
532 | } |
533 | } |
534 | } |
535 | $this->db->sql_freeresult($result); |
536 | } |
537 | |
538 | return $allowed; |
539 | } |
540 | } |