diff options
| author | Haakon Meland Eriksen <haakon.eriksen@far.no> | 2014-06-24 19:34:36 +0200 |
|---|---|---|
| committer | Haakon Meland Eriksen <haakon.eriksen@far.no> | 2014-06-24 19:34:36 +0200 |
| commit | b8dc9e855af2d30f33d0f90dc13d8cad0a7b3e70 (patch) | |
| tree | 718df6305bcb82c8dcb4b287a7132422e748cdfb /mod/attach.php | |
| parent | c2d520f1be115fb3cb5da2a35eb10146cecee8aa (diff) | |
| parent | a92fb0b04c3e6474ec48faf8e4cc65c382e89d66 (diff) | |
| download | volse-hubzilla-b8dc9e855af2d30f33d0f90dc13d8cad0a7b3e70.tar.gz volse-hubzilla-b8dc9e855af2d30f33d0f90dc13d8cad0a7b3e70.tar.bz2 volse-hubzilla-b8dc9e855af2d30f33d0f90dc13d8cad0a7b3e70.zip | |
Merge remote-tracking branch 'upstream/master'
Diffstat (limited to 'mod/attach.php')
| -rw-r--r-- | mod/attach.php | 53 |
1 files changed, 31 insertions, 22 deletions
diff --git a/mod/attach.php b/mod/attach.php index f300ec6fb..cf72d09c6 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -1,42 +1,51 @@ <?php require_once('include/security.php'); +require_once('include/attach.php'); function attach_init(&$a) { - if(argc() != 2) { + if(argc() < 2) { notice( t('Item not available.') . EOL); return; } - $hash = argv(1); + $r = attach_by_hash(argv(1),((argc() > 2) ? intval(argv(2)) : 0)); - // Check for existence, which will also provide us the owner uid - - $r = q("SELECT * FROM `attach` WHERE `hash` = '%s' LIMIT 1", - dbesc($hash) - ); - if(! count($r)) { - notice( t('Item was not found.'). EOL); + if(! $r['success']) { + notice( $r['message'] . EOL); return; } - $sql_extra = permissions_sql($r[0]['uid']); - - // Now we'll see if we can access the attachment - - $r = q("SELECT * FROM `attach` WHERE hash = '%s' $sql_extra LIMIT 1", - dbesc($hash) + $c = q("select channel_address from channel where channel_id = %d limit 1", + intval($r['data']['uid']) ); - if(! count($r)) { - notice( t('Permission denied.') . EOL); + if(! $c) return; + + + $unsafe_types = array('text/html','text/css','application/javascript'); + + if(in_array($r['data']['filetype'],$unsafe_types)) { + header('Content-type: text/plain'); + } + else { + header('Content-type: ' . $r['data']['filetype']); } - header('Content-type: ' . $r[0]['filetype']); - header('Content-disposition: attachment; filename=' . $r[0]['filename']); - echo $r[0]['data']; + header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"'); + if($r['data']['flags'] & ATTACH_FLAG_OS ) { + $istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); + $ostream = fopen('php://output','wb'); + if($istream && $ostream) { + pipe_streams($istream,$ostream); + fclose($istream); + fclose($ostream); + } + } + else + echo $r['data']['data']; killme(); - // NOTREACHED -}
\ No newline at end of file + +} |