aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Getfile.php
diff options
context:
space:
mode:
authorWave <wave72@users.noreply.github.com>2016-07-22 10:55:02 +0200
committerGitHub <noreply@github.com>2016-07-22 10:55:02 +0200
commit744ad84714fe0f7a3d90250a4ff02dc4327b9061 (patch)
tree595fb74ec9ea0bc7130d18bd7993d719a222d343 /Zotlabs/Module/Getfile.php
parentc38c79d71c8ef70ef649f83e322f1984b75ee2dd (diff)
parent7d897a3f03bd57ed556433eb84a41963ba44e02e (diff)
downloadvolse-hubzilla-744ad84714fe0f7a3d90250a4ff02dc4327b9061.tar.gz
volse-hubzilla-744ad84714fe0f7a3d90250a4ff02dc4327b9061.tar.bz2
volse-hubzilla-744ad84714fe0f7a3d90250a4ff02dc4327b9061.zip
Merge pull request #6 from redmatrix/dev
Dev
Diffstat (limited to 'Zotlabs/Module/Getfile.php')
-rw-r--r--Zotlabs/Module/Getfile.php101
1 files changed, 101 insertions, 0 deletions
diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php
new file mode 100644
index 000000000..09d761887
--- /dev/null
+++ b/Zotlabs/Module/Getfile.php
@@ -0,0 +1,101 @@
+<?php
+namespace Zotlabs\Module;
+
+/**
+ * module: getfile
+ *
+ * used for synchronising files and photos across clones
+ *
+ * The site initiating the file operation will send a sync packet to known clones.
+ * They will respond by building the DB structures they require, then will provide a
+ * post request to this site to grab the file data. This is sent as a stream direct to
+ * disk at the other end, avoiding memory issues.
+ *
+ * Since magic-auth cannot easily be used by the CURL process at the other end,
+ * we will require a signed request which includes a timestamp. This should not be
+ * used without SSL and is potentially vulnerable to replay if an attacker decrypts
+ * the SSL traffic fast enough. The amount of time slop is configurable but defaults
+ * to 3 minutes.
+ *
+ */
+
+
+
+require_once('include/attach.php');
+
+
+class Getfile extends \Zotlabs\Web\Controller {
+
+ function post() {
+
+ $hash = $_POST['hash'];
+ $time = $_POST['time'];
+ $sig = $_POST['signature'];
+ $resource = $_POST['resource'];
+ $revision = intval($_POST['revision']);
+
+ if(! $hash)
+ killme();
+
+ $channel = channelx_by_hash($hash);
+
+ if((! $channel) || (! $time) || (! $sig))
+ killme();
+
+ $slop = intval(get_pconfig($channel['channel_id'],'system','getfile_time_slop'));
+ if($slop < 1)
+ $slop = 3;
+
+ $d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
+ $d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
+
+ if(($time > $d1) || ($time < $d2)) {
+ logger('time outside allowable range');
+ killme();
+ }
+
+ if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+ logger('verify failed.');
+ killme();
+ }
+
+
+ $r = attach_by_hash($resource,$revision);
+
+ if(! $r['success']) {
+ notice( $r['message'] . EOL);
+ return;
+ }
+
+
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r['data']['filetype'],$unsafe_types)) {
+ header('Content-type: text/plain');
+ }
+ else {
+ header('Content-type: ' . $r['data']['filetype']);
+ }
+
+ header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
+ if(intval($r['data']['os_storage'])) {
+ $fname = dbunescbin($r['data']['data']);
+ if(strpos($fname,'store') !== false)
+ $istream = fopen($fname,'rb');
+ else
+ $istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb');
+ $ostream = fopen('php://output','wb');
+ if($istream && $ostream) {
+ pipe_streams($istream,$ostream);
+ fclose($istream);
+ fclose($ostream);
+ }
+ }
+ else
+ echo dbunescbin($r['data']['data']);
+ killme();
+
+
+
+ }
+}