aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Getfile.php
diff options
context:
space:
mode:
authorAndrew Manning <tamanning@zoho.com>2016-04-20 21:05:01 -0400
committerAndrew Manning <tamanning@zoho.com>2016-04-20 21:05:01 -0400
commitb96eb1c8230ae2f5986d6f22934c606bbca9728e (patch)
treefecd2279927b61da28801094dc7d6b1cfa8d98fe /Zotlabs/Module/Getfile.php
parent7594796ee11c0b245d02d145868a13ac3d84ebfc (diff)
parent635580091a227529cb491e6441a5acbfff3177be (diff)
downloadvolse-hubzilla-b96eb1c8230ae2f5986d6f22934c606bbca9728e.tar.gz
volse-hubzilla-b96eb1c8230ae2f5986d6f22934c606bbca9728e.tar.bz2
volse-hubzilla-b96eb1c8230ae2f5986d6f22934c606bbca9728e.zip
Merge branch 'dev' into toggle-context-help
Diffstat (limited to 'Zotlabs/Module/Getfile.php')
-rw-r--r--Zotlabs/Module/Getfile.php102
1 files changed, 102 insertions, 0 deletions
diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php
new file mode 100644
index 000000000..6999e77e8
--- /dev/null
+++ b/Zotlabs/Module/Getfile.php
@@ -0,0 +1,102 @@
+<?php
+namespace Zotlabs\Module;
+
+/**
+ * module: getfile
+ *
+ * used for synchronising files and photos across clones
+ *
+ * The site initiating the file operation will send a sync packet to known clones.
+ * They will respond by building the DB structures they require, then will provide a
+ * post request to this site to grab the file data. This is sent as a stream direct to
+ * disk at the other end, avoiding memory issues.
+ *
+ * Since magic-auth cannot easily be used by the CURL process at the other end,
+ * we will require a signed request which includes a timestamp. This should not be
+ * used without SSL and is potentially vulnerable to replay if an attacker decrypts
+ * the SSL traffic fast enough. The amount of time slop is configurable but defaults
+ * to 3 minutes.
+ *
+ */
+
+
+
+require_once('include/Contact.php');
+require_once('include/attach.php');
+
+
+class Getfile extends \Zotlabs\Web\Controller {
+
+ function post() {
+
+ $hash = $_POST['hash'];
+ $time = $_POST['time'];
+ $sig = $_POST['signature'];
+ $resource = $_POST['resource'];
+ $revision = intval($_POST['revision']);
+
+ if(! $hash)
+ killme();
+
+ $channel = channelx_by_hash($hash);
+
+ if((! $channel) || (! $time) || (! $sig))
+ killme();
+
+ $slop = intval(get_pconfig($channel['channel_id'],'system','getfile_time_slop'));
+ if($slop < 1)
+ $slop = 3;
+
+ $d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
+ $d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
+
+ if(($time > $d1) || ($time < $d2)) {
+ logger('time outside allowable range');
+ killme();
+ }
+
+ if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+ logger('verify failed.');
+ killme();
+ }
+
+
+ $r = attach_by_hash($resource,$revision);
+
+ if(! $r['success']) {
+ notice( $r['message'] . EOL);
+ return;
+ }
+
+
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r['data']['filetype'],$unsafe_types)) {
+ header('Content-type: text/plain');
+ }
+ else {
+ header('Content-type: ' . $r['data']['filetype']);
+ }
+
+ header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
+ if(intval($r['data']['os_storage'])) {
+ $fname = dbunescbin($r['data']['data']);
+ if(strpos($fname,'store') !== false)
+ $istream = fopen($fname,'rb');
+ else
+ $istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb');
+ $ostream = fopen('php://output','wb');
+ if($istream && $ostream) {
+ pipe_streams($istream,$ostream);
+ fclose($istream);
+ fclose($ostream);
+ }
+ }
+ else
+ echo dbunescbin($r['data']['data']);
+ killme();
+
+
+
+ }
+}