diff options
| author | redmatrix <git@macgirvin.com> | 2016-04-05 21:10:08 -0700 |
|---|---|---|
| committer | redmatrix <git@macgirvin.com> | 2016-04-05 21:10:08 -0700 |
| commit | 9fd8634b62a728e3e6047319548e5029a3d89275 (patch) | |
| tree | 15d97d30c30b83c7159accc3e2f8cd2b20b5b02d | |
| parent | fd07940b102cf13f81f29bb75e80aedc2c43615b (diff) | |
| download | volse-hubzilla-9fd8634b62a728e3e6047319548e5029a3d89275.tar.gz volse-hubzilla-9fd8634b62a728e3e6047319548e5029a3d89275.tar.bz2 volse-hubzilla-9fd8634b62a728e3e6047319548e5029a3d89275.zip | |
server side of file/photo sync to deliver the file data. We'll sign it using our channel_hash and the current time to make it difficult to forge a request; as the sync process is not going to have magic-auth ability.
| -rw-r--r-- | mod/getfile.php | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/mod/getfile.php b/mod/getfile.php new file mode 100644 index 000000000..8a8fa6465 --- /dev/null +++ b/mod/getfile.php @@ -0,0 +1,76 @@ +<?php + +require_once('include/Contact.php'); + +function getfile_post(&$a) { + + $hash = $_POST['hash']; + $time = $_POST['time']; + $sig = $_POST['signature']; + $resource = $_POST['resource']; + $revision = intval($_POST['revision']); + + if(! $hash) + killme(); + + $channel = channelx_by_hash($hash); + + if((! $channel) || (! $time) || (! $sig)) + killme(); + + $slop = intval(get_pconfig($channel['channel_id'],'system','getfile_time_slop')); + if($slop < 1) + $slop = 3; + + $d1 = datetime_convert('UTC','UTC',"now + $slop minutes"); + $d2 = datetime_convert('UTC','UTC',"now - $slop minutes"); + + if(($time > d1) || ($time < d2)) { + logger('time outside allowable range'); + killme(); + } + + if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { + logger('verify failed.'); + killme(); + } + + + $r = attach_by_hash($resource,$revision); + + if(! $r['success']) { + notice( $r['message'] . EOL); + return; + } + + + $unsafe_types = array('text/html','text/css','application/javascript'); + + if(in_array($r['data']['filetype'],$unsafe_types)) { + header('Content-type: text/plain'); + } + else { + header('Content-type: ' . $r['data']['filetype']); + } + + header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"'); + if(intval($r['data']['os_storage'])) { + $fname = dbunescbin($r['data']['data']); + if(strpos($fname,'store') !== false) + $istream = fopen($fname,'rb'); + else + $istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb'); + $ostream = fopen('php://output','wb'); + if($istream && $ostream) { + pipe_streams($istream,$ostream); + fclose($istream); + fclose($ostream); + } + } + else + echo dbunescbin($r['data']['data']); + killme(); + + + +}
\ No newline at end of file |