From 02e099da455f0ca42720e60eabe65ba8d4560373 Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 31 Jan 2013 16:13:44 -0800 Subject: file/attachment storage api with revision control - needs a bit more testing but the framework is in place --- mod/attach.php | 35 +++++++++-------------------------- 1 file changed, 9 insertions(+), 26 deletions(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index f300ec6fb..b94c02c19 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -1,42 +1,25 @@ 2) ? intval(argv(2)) : 0)); - // Check for existence, which will also provide us the owner uid - - $r = q("SELECT * FROM `attach` WHERE `hash` = '%s' LIMIT 1", - dbesc($hash) - ); - if(! count($r)) { - notice( t('Item was not found.'). EOL); - return; - } - - $sql_extra = permissions_sql($r[0]['uid']); - - // Now we'll see if we can access the attachment - - $r = q("SELECT * FROM `attach` WHERE hash = '%s' $sql_extra LIMIT 1", - dbesc($hash) - ); - - if(! count($r)) { - notice( t('Permission denied.') . EOL); + if(! $r['success']) { + notice( $r['message'] . EOL); return; } - header('Content-type: ' . $r[0]['filetype']); - header('Content-disposition: attachment; filename=' . $r[0]['filename']); - echo $r[0]['data']; + header('Content-type: ' . $r['data']['filetype']); + header('Content-disposition: attachment; filename=' . $r['data']['filename']); + echo $r['data']['data']; killme(); - // NOTREACHED + } \ No newline at end of file -- cgit v1.2.3 From 05ba851d52019decf84ea0325f4138f354355d37 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 5 Feb 2013 15:34:30 -0800 Subject: mod/attach support for files/attachments using OS storage --- mod/attach.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index b94c02c19..a5f9d1a6b 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -19,7 +19,10 @@ function attach_init(&$a) { header('Content-type: ' . $r['data']['filetype']); header('Content-disposition: attachment; filename=' . $r['data']['filename']); - echo $r['data']['data']; + if($r['data']['flags'] & ATTACH_FLAG_OS ) + echo @file_get_contents($r['data']['data']); + else + echo $r['data']['data']; killme(); } \ No newline at end of file -- cgit v1.2.3 From 5a5466346cccecec257fc20a993bfa2426b8bf48 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 6 Jan 2014 18:13:02 -0800 Subject: prepare for OS file storage, and add bbcode attachment link to mod/filestorage. This isn't beautiful, but it's a start. --- mod/attach.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index a5f9d1a6b..8676baa58 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -19,8 +19,13 @@ function attach_init(&$a) { header('Content-type: ' . $r['data']['filetype']); header('Content-disposition: attachment; filename=' . $r['data']['filename']); - if($r['data']['flags'] & ATTACH_FLAG_OS ) - echo @file_get_contents($r['data']['data']); + if($r['data']['flags'] & ATTACH_FLAG_OS ) { + $stream = fopen($r['data']['data'],'rb'); + if($stream) { + pipe_stream($stream,STDOUT); + fclose($stream); + } + } else echo $r['data']['data']; killme(); -- cgit v1.2.3 From 6eda8064449d154614345e9bd867dce2faba0deb Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 8 Jan 2014 18:06:52 -0800 Subject: This should be approaching completion for file OS storage. May be a few minor bugs remaining due to some late-breaking fixes but I've been testing it as I go. --- mod/attach.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index 8676baa58..2c4f06c00 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -17,10 +17,17 @@ function attach_init(&$a) { return; } + $c = q("select channel_address from channel where channel_id = %d limit 1", + intval($r[0]['uid']) + ); + + if(! $c) + return; + header('Content-type: ' . $r['data']['filetype']); header('Content-disposition: attachment; filename=' . $r['data']['filename']); if($r['data']['flags'] & ATTACH_FLAG_OS ) { - $stream = fopen($r['data']['data'],'rb'); + $stream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); if($stream) { pipe_stream($stream,STDOUT); fclose($stream); -- cgit v1.2.3 From 3c477ea8d68f4d92541919490511fb4199364272 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 8 Jan 2014 20:58:58 -0800 Subject: attachment issue --- mod/attach.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index 2c4f06c00..7371f0367 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -18,7 +18,7 @@ function attach_init(&$a) { } $c = q("select channel_address from channel where channel_id = %d limit 1", - intval($r[0]['uid']) + intval($r['data']['uid']) ); if(! $c) -- cgit v1.2.3 From cff7056f8ff809251448de269bbc5e13780f35de Mon Sep 17 00:00:00 2001 From: friendica Date: Sat, 11 Jan 2014 12:58:00 -0800 Subject: mod_attach: output stream wasn't working --- mod/attach.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index 7371f0367..c52966ce0 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -27,10 +27,12 @@ function attach_init(&$a) { header('Content-type: ' . $r['data']['filetype']); header('Content-disposition: attachment; filename=' . $r['data']['filename']); if($r['data']['flags'] & ATTACH_FLAG_OS ) { - $stream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); - if($stream) { - pipe_stream($stream,STDOUT); - fclose($stream); + $istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); + $ostream = fopen('php://output','wb'); + if($istream && $ostream) { + pipe_streams($istream,$ostream); + fclose($istream); + fclose($ostream); } } else -- cgit v1.2.3 From 5c54880ce89627ac932ae09fb85d57863b50d41c Mon Sep 17 00:00:00 2001 From: Thomas Willingham Date: Wed, 29 Jan 2014 20:38:32 +0000 Subject: Make Firefox behave if an attachment points to a file with a space in it. --- mod/attach.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index c52966ce0..fd40791fe 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -25,7 +25,7 @@ function attach_init(&$a) { return; header('Content-type: ' . $r['data']['filetype']); - header('Content-disposition: attachment; filename=' . $r['data']['filename']); + header('Content-disposition: attachment; filename="' . $r['data']['filename']); if($r['data']['flags'] & ATTACH_FLAG_OS ) { $istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); $ostream = fopen('php://output','wb'); @@ -39,4 +39,4 @@ function attach_init(&$a) { echo $r['data']['data']; killme(); -} \ No newline at end of file +} -- cgit v1.2.3 From 5a5973982f6027e633917b1f0180432882dc9045 Mon Sep 17 00:00:00 2001 From: Thomas Willingham Date: Wed, 29 Jan 2014 22:11:36 +0000 Subject: Really fix attachments in Firefox --- mod/attach.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index fd40791fe..d0d3296e1 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -25,7 +25,7 @@ function attach_init(&$a) { return; header('Content-type: ' . $r['data']['filetype']); - header('Content-disposition: attachment; filename="' . $r['data']['filename']); + header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"'); if($r['data']['flags'] & ATTACH_FLAG_OS ) { $istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); $ostream = fopen('php://output','wb'); -- cgit v1.2.3 From b58baa5e4a80657f7b0c7848f16fd12714e4a11a Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 9 Feb 2014 15:00:47 -0800 Subject: more XSS blockage of uploaded files --- mod/attach.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'mod/attach.php') diff --git a/mod/attach.php b/mod/attach.php index d0d3296e1..cf72d09c6 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -24,7 +24,16 @@ function attach_init(&$a) { if(! $c) return; - header('Content-type: ' . $r['data']['filetype']); + + $unsafe_types = array('text/html','text/css','application/javascript'); + + if(in_array($r['data']['filetype'],$unsafe_types)) { + header('Content-type: text/plain'); + } + else { + header('Content-type: ' . $r['data']['filetype']); + } + header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"'); if($r['data']['flags'] & ATTACH_FLAG_OS ) { $istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); -- cgit v1.2.3