1 files changed, 31 insertions, 22 deletions

diff --git a/mod/attach.php b/mod/attach.php
index f300ec6fb..cf72d09c6 100644
--- a/mod/attach.php
+++ b/mod/attach.php
@@ -1,42 +1,51 @@
 <?php
 
 require_once('include/security.php');
+require_once('include/attach.php');
 
 function attach_init(&$a) {
 
-	if(argc() != 2) {
+	if(argc() < 2) {
 		notice( t('Item not available.') . EOL);
 		return;
 	}
 
-	$hash = argv(1);
+	$r = attach_by_hash(argv(1),((argc() > 2) ? intval(argv(2)) : 0));
 
-	// Check for existence, which will also provide us the owner uid
-
-	$r = q("SELECT * FROM `attach` WHERE `hash` = '%s' LIMIT 1",
-		dbesc($hash)
-	);
-	if(! count($r)) {
-		notice( t('Item was not found.'). EOL);
+	if(! $r['success']) {
+		notice( $r['message'] . EOL);
 		return;
 	}
 
-	$sql_extra = permissions_sql($r[0]['uid']);
-
-	// Now we'll see if we can access the attachment
-
-	$r = q("SELECT * FROM `attach` WHERE hash = '%s' $sql_extra LIMIT 1",
-		dbesc($hash)
+	$c = q("select channel_address from channel where channel_id = %d limit 1",
+		intval($r['data']['uid'])
 	);
 
-	if(! count($r)) {
-		notice( t('Permission denied.') . EOL);
+	if(! $c)
 		return;
+
+
+	$unsafe_types = array('text/html','text/css','application/javascript');
+
+	if(in_array($r['data']['filetype'],$unsafe_types)) {
+			header('Content-type: text/plain');
+	}
+	else {
+		header('Content-type: ' . $r['data']['filetype']);
 	}
 
-	header('Content-type: ' . $r[0]['filetype']);
-	header('Content-disposition: attachment; filename=' . $r[0]['filename']);
-	echo $r[0]['data'];
+	header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
+	if($r['data']['flags'] & ATTACH_FLAG_OS ) {
+		$istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb');
+		$ostream = fopen('php://output','wb');
+		if($istream && $ostream) {
+			pipe_streams($istream,$ostream);
+			fclose($istream);
+			fclose($ostream);
+		}
+	}
+	else
+		echo $r['data']['data'];
 	killme();
-	// NOTREACHED
-}
\ No newline at end of file
+
+}