From 9fd8634b62a728e3e6047319548e5029a3d89275 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Tue, 5 Apr 2016 21:10:08 -0700
Subject: server side of file/photo sync to deliver the file data. We'll sign
 it using our channel_hash and the current time to make it difficult to forge
 a request; as the sync process is not going to have magic-auth ability.

---
 mod/getfile.php | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 mod/getfile.php

diff --git a/mod/getfile.php b/mod/getfile.php
new file mode 100644
index 000000000..8a8fa6465
--- /dev/null
+++ b/mod/getfile.php
@@ -0,0 +1,76 @@
+<?php
+
+require_once('include/Contact.php');
+
+function getfile_post(&$a) {
+
+	$hash = $_POST['hash'];
+	$time = $_POST['time'];
+	$sig = $_POST['signature'];
+	$resource = $_POST['resource'];
+	$revision = intval($_POST['revision']);
+
+	if(! $hash)
+		killme();
+
+	$channel = channelx_by_hash($hash);
+
+	if((! $channel) || (! $time) || (! $sig))
+		killme();
+
+	$slop = intval(get_pconfig($channel['channel_id'],'system','getfile_time_slop'));
+	if($slop < 1)
+		$slop = 3;
+
+	$d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
+	$d2 = datetime_convert('UTC','UTC',"now - $slop minutes");	
+
+	if(($time > d1) || ($time < d2)) {
+		logger('time outside allowable range');
+		killme();
+	}
+
+	if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+		logger('verify failed.');
+		killme();
+	}
+
+
+	$r = attach_by_hash($resource,$revision);
+
+	if(! $r['success']) {
+		notice( $r['message'] . EOL);
+		return;
+	}
+	
+
+	$unsafe_types = array('text/html','text/css','application/javascript');
+
+	if(in_array($r['data']['filetype'],$unsafe_types)) {
+			header('Content-type: text/plain');
+	}
+	else {
+		header('Content-type: ' . $r['data']['filetype']);
+	}
+
+	header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
+	if(intval($r['data']['os_storage'])) {
+		$fname = dbunescbin($r['data']['data']);
+		if(strpos($fname,'store') !== false)
+			$istream = fopen($fname,'rb');
+		else
+			$istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb');
+		$ostream = fopen('php://output','wb');
+		if($istream && $ostream) {
+			pipe_streams($istream,$ostream);
+			fclose($istream);
+			fclose($ostream);
+		}
+	}
+	else
+		echo dbunescbin($r['data']['data']);
+	killme();
+
+
+
+}
\ No newline at end of file
-- 
cgit v1.2.3