aboutsummaryrefslogtreecommitdiffstats
path: root/mod/getfile.php
diff options
context:
space:
mode:
authorPaolo Tacconi <p.tacconi@giunti.it>2016-04-15 09:20:58 +0200
committerPaolo Tacconi <p.tacconi@giunti.it>2016-04-15 09:20:58 +0200
commit45a854762b451dafb882bc56efce054b64420627 (patch)
tree958fcd22f04546f40b6ac68bb58cfe1a1b1fb7f6 /mod/getfile.php
parent1806da0851dd5cf5978b19d12783ae3101a11257 (diff)
parenta29c0371f1f3cceb9a9af3a62e5ed67886869c40 (diff)
downloadvolse-hubzilla-45a854762b451dafb882bc56efce054b64420627.tar.gz
volse-hubzilla-45a854762b451dafb882bc56efce054b64420627.tar.bz2
volse-hubzilla-45a854762b451dafb882bc56efce054b64420627.zip
Resolved conflict in view/it/hstrings.php
Diffstat (limited to 'mod/getfile.php')
-rw-r--r--mod/getfile.php97
1 files changed, 97 insertions, 0 deletions
diff --git a/mod/getfile.php b/mod/getfile.php
new file mode 100644
index 000000000..c0916de79
--- /dev/null
+++ b/mod/getfile.php
@@ -0,0 +1,97 @@
+<?php
+
+/**
+ * module: getfile
+ *
+ * used for synchronising files and photos across clones
+ *
+ * The site initiating the file operation will send a sync packet to known clones.
+ * They will respond by building the DB structures they require, then will provide a
+ * post request to this site to grab the file data. This is sent as a stream direct to
+ * disk at the other end, avoiding memory issues.
+ *
+ * Since magic-auth cannot easily be used by the CURL process at the other end,
+ * we will require a signed request which includes a timestamp. This should not be
+ * used without SSL and is potentially vulnerable to replay if an attacker decrypts
+ * the SSL traffic fast enough. The amount of time slop is configurable but defaults
+ * to 3 minutes.
+ *
+ */
+
+
+
+require_once('include/Contact.php');
+require_once('include/attach.php');
+
+function getfile_post(&$a) {
+
+ $hash = $_POST['hash'];
+ $time = $_POST['time'];
+ $sig = $_POST['signature'];
+ $resource = $_POST['resource'];
+ $revision = intval($_POST['revision']);
+
+ if(! $hash)
+ killme();
+
+ $channel = channelx_by_hash($hash);
+
+ if((! $channel) || (! $time) || (! $sig))
+ killme();
+
+ $slop = intval(get_pconfig($channel['channel_id'],'system','getfile_time_slop'));
+ if($slop < 1)
+ $slop = 3;
+
+ $d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
+ $d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
+
+ if(($time > $d1) || ($time < $d2)) {
+ logger('time outside allowable range');
+ killme();
+ }
+
+ if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+ logger('verify failed.');
+ killme();
+ }
+
+
+ $r = attach_by_hash($resource,$revision);
+
+ if(! $r['success']) {
+ notice( $r['message'] . EOL);
+ return;
+ }
+
+
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r['data']['filetype'],$unsafe_types)) {
+ header('Content-type: text/plain');
+ }
+ else {
+ header('Content-type: ' . $r['data']['filetype']);
+ }
+
+ header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
+ if(intval($r['data']['os_storage'])) {
+ $fname = dbunescbin($r['data']['data']);
+ if(strpos($fname,'store') !== false)
+ $istream = fopen($fname,'rb');
+ else
+ $istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb');
+ $ostream = fopen('php://output','wb');
+ if($istream && $ostream) {
+ pipe_streams($istream,$ostream);
+ fclose($istream);
+ fclose($ostream);
+ }
+ }
+ else
+ echo dbunescbin($r['data']['data']);
+ killme();
+
+
+
+} \ No newline at end of file