aboutsummaryrefslogtreecommitdiffstats
path: root/mod/getfile.php
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-04-05 21:10:08 -0700
committerredmatrix <git@macgirvin.com>2016-04-05 21:10:08 -0700
commit9fd8634b62a728e3e6047319548e5029a3d89275 (patch)
tree15d97d30c30b83c7159accc3e2f8cd2b20b5b02d /mod/getfile.php
parentfd07940b102cf13f81f29bb75e80aedc2c43615b (diff)
downloadvolse-hubzilla-9fd8634b62a728e3e6047319548e5029a3d89275.tar.gz
volse-hubzilla-9fd8634b62a728e3e6047319548e5029a3d89275.tar.bz2
volse-hubzilla-9fd8634b62a728e3e6047319548e5029a3d89275.zip
server side of file/photo sync to deliver the file data. We'll sign it using our channel_hash and the current time to make it difficult to forge a request; as the sync process is not going to have magic-auth ability.
Diffstat (limited to 'mod/getfile.php')
-rw-r--r--mod/getfile.php76
1 files changed, 76 insertions, 0 deletions
diff --git a/mod/getfile.php b/mod/getfile.php
new file mode 100644
index 000000000..8a8fa6465
--- /dev/null
+++ b/mod/getfile.php
@@ -0,0 +1,76 @@
+<?php
+
+require_once('include/Contact.php');
+
+function getfile_post(&$a) {
+
+ $hash = $_POST['hash'];
+ $time = $_POST['time'];
+ $sig = $_POST['signature'];
+ $resource = $_POST['resource'];
+ $revision = intval($_POST['revision']);
+
+ if(! $hash)
+ killme();
+
+ $channel = channelx_by_hash($hash);
+
+ if((! $channel) || (! $time) || (! $sig))
+ killme();
+
+ $slop = intval(get_pconfig($channel['channel_id'],'system','getfile_time_slop'));
+ if($slop < 1)
+ $slop = 3;
+
+ $d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
+ $d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
+
+ if(($time > d1) || ($time < d2)) {
+ logger('time outside allowable range');
+ killme();
+ }
+
+ if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+ logger('verify failed.');
+ killme();
+ }
+
+
+ $r = attach_by_hash($resource,$revision);
+
+ if(! $r['success']) {
+ notice( $r['message'] . EOL);
+ return;
+ }
+
+
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r['data']['filetype'],$unsafe_types)) {
+ header('Content-type: text/plain');
+ }
+ else {
+ header('Content-type: ' . $r['data']['filetype']);
+ }
+
+ header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
+ if(intval($r['data']['os_storage'])) {
+ $fname = dbunescbin($r['data']['data']);
+ if(strpos($fname,'store') !== false)
+ $istream = fopen($fname,'rb');
+ else
+ $istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb');
+ $ostream = fopen('php://output','wb');
+ if($istream && $ostream) {
+ pipe_streams($istream,$ostream);
+ fclose($istream);
+ fclose($ostream);
+ }
+ }
+ else
+ echo dbunescbin($r['data']['data']);
+ killme();
+
+
+
+} \ No newline at end of file