XMB PHP Cross Reference Discussion Forums

Source: /files.php - 214 lines - 6799 bytes - Summary - Text - Print

Description: eXtreme Message Board XMB 1.9.11

   1  <?php
   2  /**

   3   * eXtreme Message Board

   4   * XMB 1.9.11

   5   *

   6   * Developed And Maintained By The XMB Group

   7   * Copyright (c) 2001-2012, The XMB Group

   8   * http://www.xmbforum2.com/

   9   *

  10   * This program is free software; you can redistribute it and/or

  11   * modify it under the terms of the GNU General Public License

  12   * as published by the Free Software Foundation; either version 2

  13   * of the License, or (at your option) any later version.

  14   *

  15   * This program is distributed in the hope that it will be useful,

  16   * but WITHOUT ANY WARRANTY; without even the implied warranty of

  17   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  18   * GNU General Public License for more details.

  19   *

  20   * You should have received a copy of the GNU General Public License

  21   * along with this program.  If not, see <http://www.gnu.org/licenses/>.

  22   *

  23   **/
  24  
  25  define('X_SCRIPT', 'files.php');
  26  
  27  require  'header.php';
  28  
  29  header('X-Robots-Tag: nofollow');
  30  
  31  loadtemplates('');
  32  eval('$css = "'.template('css').'";');
  33  
  34  $aid = 0;
  35  $pid = 0;
  36  $filename = '';
  37  
  38  // Parse "Pretty" URLs

  39  switch(intval($SETTINGS['file_url_format'])) {
  40  case 1:
  41  //    $url = "{$virtual_path}files.php?pid=$pid&amp;aid=$aid";

  42      $aid = getInt('aid');
  43      $pid = getInt('pid');
  44      break;
  45  case 2:
  46  //    $url = "{$virtual_path}files/$pid/$aid/";

  47      $result = explode('/', $url);
  48      if ($result[count($result) - 4] == 'files') { // Remember count() is 1-based
  49          $pid = intval($result[count($result) - 3]);
  50          $aid = intval($result[count($result) - 2]);
  51      }
  52      break;
  53  case 3:
  54  //    $url = "{$virtual_path}files/$aid/".rawurlencode($filename);

  55      $result = explode('/', $url);
  56      if ($result[count($result) - 3] == 'files') {
  57          $aid = intval($result[count($result) - 2]);
  58          $filename = urldecode($result[count($result) - 1]);
  59      }
  60      break;
  61  case 4:
  62  //    $url = "{$virtual_path}/$pid/$aid/";

  63      $result = explode('/', $url);
  64      $pid = intval($result[count($result) - 3]);
  65      $aid = intval($result[count($result) - 2]);
  66      break;
  67  case 5:
  68  //    $url = "{$virtual_path}/$aid/".rawurlencode($filename);

  69      $result = explode('/', $url);
  70      $aid = intval($result[count($result) - 2]);
  71      $filename = urldecode($result[count($result) - 1]);
  72      break;
  73  default:
  74      $aid = getInt('aid');
  75      $pid = getInt('pid');
  76      break;
  77  }
  78  
  79  // Sanity Checks

  80  if ($aid <= 0 Or $pid < 0 Or ($pid == 0 And $filename == '' And $self['uid'] == 0)) {
  81      fileError();
  82  }
  83  
  84  // Retrieve attachment metadata

  85  if ($filename == '') {
  86      $where = "WHERE a.aid=$aid AND a.pid=$pid";
  87      if ($pid == 0 And !X_ADMIN) {
  88          $where .= " AND a.uid={$self['uid']}"; // Allow preview of own attachments when URL format requires a PID.

  89      }
  90  } else {
  91      $db->escape_fast($filename);
  92      $where = "WHERE a.aid=$aid AND a.filename='$filename'";
  93  }
  94  $query = $db->query("SELECT a.*, UNIX_TIMESTAMP(a.updatetime) AS updatestamp, p.fid FROM ".X_PREFIX."attachments AS a LEFT JOIN ".X_PREFIX."posts AS p USING (pid) $where");
  95  if ($db->num_rows($query) != 1) {
  96      fileError();
  97  }
  98  $file = $db->fetch_array($query);
  99  $db->free_result($query);
 100  
 101  if ($pid > 0 Or $file['fid'] != '') {
 102      $forum = getForum($file['fid']);
 103  
 104      if (($forum['type'] != 'forum' && $forum['type'] != 'sub') || $forum['status'] != 'on' || ($forum['attachstatus'] != 'on' And !X_ADMIN)) {
 105          fileError();
 106      }
 107  
 108      // Check attachment permissions

 109      $perms = checkForumPermissions($forum);
 110      if (!$perms[X_PERMS_VIEW]) {
 111          if (X_GUEST) {
 112              redirect("{$full_url}misc.php?action=login", 0);
 113              exit;
 114          } else {
 115              error($lang['privforummsg']);
 116          }
 117      } else if (!$perms[X_PERMS_PASSWORD]) {
 118          handlePasswordDialog($forum['fid']);
 119      }
 120  
 121      $fup = array();
 122      if ($forum['type'] == 'sub') {
 123          $fup = getForum($forum['fup']);
 124          // prevent access to subforum when upper forum can't be viewed.

 125          $fupPerms = checkForumPermissions($fup);
 126          if (!$fupPerms[X_PERMS_VIEW]) {
 127              if (X_GUEST) {
 128                  redirect("{$full_url}misc.php?action=login", 0);
 129                  exit;
 130              } else {
 131                  error($lang['privforummsg']);
 132              }
 133          } else if (!$fupPerms[X_PERMS_PASSWORD]) {
 134              handlePasswordDialog($fup['fid']);
 135          }
 136          unset($fup);
 137      }
 138  }
 139  
 140  // Verify file is available

 141  $path = '';
 142  $size = 0;
 143  if ($file['subdir'] == '') {
 144      $size = strlen($file['attachment']);
 145  } else {
 146      $path = $SETTINGS['files_storage_path'];
 147      if (substr($path, -1) != '/') {
 148          $path .= '/';
 149      }
 150      $path = $path.$file['subdir'].'/'.$file['aid'];
 151      if (!is_file($path)) {
 152          header('HTTP/1.0 500 Internal Server Error');
 153          error($lang['filecorrupt']);
 154      }
 155      $size = intval(filesize($path));
 156  }
 157  if ($size != $file['filesize']) {
 158      header('HTTP/1.0 500 Internal Server Error');
 159      error($lang['filecorrupt']);
 160  }
 161  
 162  // Verify output stream is empty

 163  assertEmptyOutputStream('files.php');
 164  
 165  // Do not issue any errors below this line

 166  
 167  // Check If-Modified-Since request header

 168  // "If the requested variant has not been modified since the time specified in this field,

 169  // an entity will not be returned from the server; instead, a 304 (not modified) response

 170  // will be returned without any message-body."

 171  if ($_SERVER['REQUEST_METHOD'] == 'GET' And isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
 172      if (function_exists('date_default_timezone_set')) {
 173          date_default_timezone_set('UTC'); // Workaround for stupid PHP 5 problems.

 174      }
 175      if (strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) >= $file['updatestamp']) {
 176          header('HTTP/1.0 304 Not Modified');
 177          exit;
 178      }
 179  }
 180  
 181  // Increment hit counter

 182  $db->query("UPDATE ".X_PREFIX."attachments SET downloads=downloads+1 WHERE aid=$aid");
 183  
 184  // Set response headers

 185  if ($file['img_size'] == '') {
 186      $type = 'application/binary';
 187      $dispositionType = 'attachment';
 188  } else {
 189      $type = strtolower($file['filetype']);
 190      $dispositionType = 'inline';
 191  }
 192  
 193  header("Content-type: $type");
 194  header("Content-length: $size");
 195  header("Content-Disposition: {$dispositionType}; filename=\"{$file['filename']}\"");
 196  header("Content-Description: XMB Attachment");
 197  header("Cache-Control: public; max-age=604800");
 198  header("Expires: ".gmdate('D, d M Y H:i:s', time() + 604800)." GMT");
 199  header("Last-Modified: ".gmdate('D, d M Y H:i:s', $file['updatestamp'])." GMT");
 200  
 201  // Send the response entity

 202  if ($file['subdir'] == '') {
 203      echo $file['attachment'];
 204  } else {
 205      readfile($path);
 206  }
 207  exit();
 208  
 209  function fileError() {
 210      global $lang;
 211      header('HTTP/1.0 404 Not Found');
 212      error($lang['textnothread']);
 213  }
 214  ?>

title

Description

title

Description

title

Description

title

title

Body