<?php namespace Zotlabs\Module; /** * module: getfile * * used for synchronising files and photos across clones * * The site initiating the file operation will send a sync packet to known clones. * They will respond by building the DB structures they require, then will provide a * post request to this site to grab the file data. This is sent as a stream direct to * disk at the other end, avoiding memory issues. * * Since magic-auth cannot easily be used by the CURL process at the other end, * we will require a signed request which includes a timestamp. This should not be * used without SSL and is potentially vulnerable to replay if an attacker decrypts * the SSL traffic fast enough. The amount of time slop is configurable but defaults * to 3 minutes. * */ require_once('include/attach.php'); class Getfile extends \Zotlabs\Web\Controller { function post() { $header_verified = false; $hash = $_POST['hash']; $time = $_POST['time']; $sig = $_POST['signature']; $resource = $_POST['resource']; $revision = intval($_POST['revision']); $resolution = (-1); if(! $hash) killme(); foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') { if($head !== 'HTTP_AUTHORIZATION') { $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head]; continue; } $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]); if($sigblock) { $keyId = $sigblock['keyId']; if($keyId) { $r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash where hubloc_addr = '%s' limit 1", dbesc(str_replace('acct:','',$keyId)) ); if($r) { $hubloc = $r[0]; $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) { $header_verified = true; } } } } } } logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO); if($header_verified) { logger('HTTPSig verified'); } $channel = channelx_by_hash($hash); if((! $channel) || (! $time) || (! $sig)) { logger('error: missing info'); killme(); } if(substr($resource,-2,1) == '-') { $resolution = intval(substr($resource,-1,1)); $resource = substr($resource,0,-2); } $slop = intval(get_pconfig($channel['channel_id'],'system','getfile_time_slop')); if($slop < 1) $slop = 3; $d1 = datetime_convert('UTC','UTC',"now + $slop minutes"); $d2 = datetime_convert('UTC','UTC',"now - $slop minutes"); if(! $header_verified) { if(($time > $d1) || ($time < $d2)) { logger('time outside allowable range'); killme(); } if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { logger('verify failed.'); killme(); } } if($resolution > 0) { $r = q("select * from photo where resource_id = '%s' and uid = %d limit 1", dbesc($resource), intval($channel['channel_id']) ); if($r) { header('Content-type: ' . $r[0]['mimetype']); if(intval($r[0]['os_storage'])) { $fname = dbunescbin($r[0]['content']); if(strpos($fname,'store') !== false) $istream = fopen($fname,'rb'); else $istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb'); $ostream = fopen('php://output','wb'); if($istream && $ostream) { pipe_streams($istream,$ostream); fclose($istream); fclose($ostream); } } else { echo dbunescbin($r[0]['content']); } } killme(); } $r = attach_by_hash($resource,$channel['channel_hash'],$revision); if(! $r['success']) { logger('attach_by_hash failed: ' . $r['message']); notice( $r['message'] . EOL); return; } $unsafe_types = array('text/html','text/css','application/javascript'); if(in_array($r['data']['filetype'],$unsafe_types) && (! channel_codeallowed($channel['channel_id']))) { header('Content-type: text/plain'); } else { header('Content-type: ' . $r['data']['filetype']); } header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"'); if(intval($r['data']['os_storage'])) { $fname = dbunescbin($r['data']['content']); if(strpos($fname,'store') !== false) $istream = fopen($fname,'rb'); else $istream = fopen('store/' . $channel['channel_address'] . '/' . $fname,'rb'); $ostream = fopen('php://output','wb'); if($istream && $ostream) { pipe_streams($istream,$ostream); fclose($istream); fclose($ostream); } } else { echo dbunescbin($r['data']['content']); } killme(); } }