PC World 2005 April

home *** CD-ROM | disk | FTP | other *** search

/ PC World 2005 April / PCWorld_2005-04_cd.bin / akce / web / phpbb2plus / phpBB2_plus_1.52.exe / phpBB2 / download.php < prev next >

Wrap

PHP Script | 2004-12-24 | 12KB | 454 lines

<?php /*************************************************************************** * download.php * ------------------- * begin : Monday, Apr 1, 2002 * copyright : (C) 2002 Meik Sievertsen * email : acyd.burn@gmx.de * * $Id: download.php,v 1.39 2004/12/09 20:12:12 acydburn Exp $ * * ***************************************************************************/ /*************************************************************************** * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * ***************************************************************************/ if ( defined('IN_PHPBB') ) { die('Hacking attempt'); exit; } define('IN_PHPBB', true); $phpbb_root_path = './'; include($phpbb_root_path . 'extension.inc'); include($phpbb_root_path . 'common.'.$phpEx); // // Delete the / * to uncomment the block, and edit the values (read the comments) to // enable additional security to your board (preventing third site linkage) // /* define('ALLOWED_DENIED', 0); define('DENIED_ALLOWED', 1); // // From this line on you are able to edit the stuff // // Possible Values: // ALLOWED_DENIED <- First allow the listed sites, and then deny all others // DENIED_ALLOWED <- First deny the listed sites, and then allow all others $allow_deny_order = ALLOWED_DENIED; // // Allowed Syntax: // Full Domain Name -> www.opentools.de // Partial Domain Names -> opentools.de // $sites = array( $board_config['server_name'], // This is your domain 'opentools.de', 'phpbb.com', 'phpbbhacks.com', 'phpbb.de' ); // This is the message displayed, if someone links to this site... $lang['Denied_Message'] = 'You are not authorized to view, download or link to this Site.'; // End of editable area // // Parse the order and evaluate the array // $site = explode('?', $HTTP_SERVER_VARS['HTTP_REFERER']); $url = trim($site[0]); //$url = $HTTP_HOST; if ($url != '') { $allowed = ($allow_deny_order == ALLOWED_DENIED) ? FALSE : TRUE; for ($i = 0; $i < count($sites); $i++) { if (strstr($url, $sites[$i])) { $allowed = ($allow_deny_order == ALLOWED_DENIED) ? TRUE : FALSE; break; } } } else { $allowed = TRUE; } if ($allowed == FALSE) { message_die(GENERAL_MESSAGE, $lang['Denied_Message']); } // Delete the following line, to uncomment this block */ $download_id = get_var('id', 0); $thumbnail = get_var('thumb', 0); // Send file to browser function send_file_to_browser($attachment, $upload_dir) { global $_SERVER, $HTTP_USER_AGENT, $HTTP_SERVER_VARS, $lang, $db, $attach_config; $filename = ($upload_dir == '') ? $attachment['physical_filename'] : $upload_dir . '/' . $attachment['physical_filename']; $gotit = FALSE; if (!intval($attach_config['allow_ftp_upload'])) { if (@!file_exists(@amod_realpath($filename))) { message_die(GENERAL_ERROR, $lang['Error_no_attachment'] . " 404 File Not Found: The File " . $filename . " does not exist."); } else { $gotit = TRUE; } } // // Determine the Browser the User is using, because of some nasty incompatibilities. // Most of the methods used in this function are from phpMyAdmin. :) // if (!empty($_SERVER['HTTP_USER_AGENT'])) { $HTTP_USER_AGENT = $_SERVER['HTTP_USER_AGENT']; } else if (!empty($HTTP_SERVER_VARS['HTTP_USER_AGENT'])) { $HTTP_USER_AGENT = $HTTP_SERVER_VARS['HTTP_USER_AGENT']; } else if (!isset($HTTP_USER_AGENT)) { $HTTP_USER_AGENT = ''; } if (ereg('Opera(/| )([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version)) { $browser_version = $log_version[2]; $browser_agent = 'opera'; } else if (ereg('MSIE ([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version)) { $browser_version = $log_version[1]; $browser_agent = 'ie'; } else if (ereg('OmniWeb/([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version)) { $browser_version = $log_version[1]; $browser_agent = 'omniweb'; } else if (ereg('Netscape([0-9]{1})', $HTTP_USER_AGENT, $log_version)) { $browser_version = $log_version[1]; $browser_agent = 'netscape'; } else if (ereg('Mozilla/([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version)) { $browser_version = $log_version[1]; $browser_agent = 'mozilla'; } else if (ereg('Konqueror/([0-9].[0-9]{1,2})', $HTTP_USER_AGENT, $log_version)) { $browser_version = $log_version[1]; $browser_agent = 'konqueror'; } else { $browser_version = 0; $browser_agent = 'other'; } // Correct the mime type - we force application/octetstream for all files, except images // Please do not change this, it is a security precaution if (!strstr($attachment['mimetype'], 'image')) { $attachment['mimetype'] = ($browser_agent == 'ie' || $browser_agent == 'opera') ? 'application/octetstream' : 'application/octet-stream'; } // Now the tricky part... let's dance // @ob_end_clean(); // @ini_set('zlib.output_compression', 'Off'); header('Pragma: public'); // header('Content-Transfer-Encoding: none'); // Send out the Headers header('Content-Type: ' . $attachment['mimetype'] . '; name="' . $attachment['real_filename'] . '"'); header('Content-Disposition: inline; filename="' . $attachment['real_filename'] . '"'); // // Now send the File Contents to the Browser // if ($gotit) { $size = @filesize($filename); if ($size) { header("Content-length: $size"); } readfile($filename); } else if (!$gotit && intval($attach_config['allow_ftp_upload'])) { $conn_id = attach_init_ftp(); $ini_val = ( @phpversion() >= '4.0.0' ) ? 'ini_get' : 'get_cfg_var'; $tmp_path = ( !@$ini_val('safe_mode') ) ? '/tmp' : $upload_dir . '/tmp'; $tmp_filename = @tempnam($tmp_path, 't0000'); @unlink($tmp_filename); $mode = FTP_BINARY; if ( (preg_match("/text/i", $attachment['mimetype'])) || (preg_match("/html/i", $attachment['mimetype'])) ) { $mode = FTP_ASCII; } $result = @ftp_get($conn_id, $tmp_filename, $filename, $mode); if (!$result) { message_die(GENERAL_ERROR, $lang['Error_no_attachment'] . " 404 File Not Found: The File " . $filename . " does not exist."); } @ftp_quit($conn_id); $size = @filesize($tmp_filename); if ($size) { header("Content-length: $size"); } readfile($tmp_filename); @unlink($tmp_filename); } else { message_die(GENERAL_ERROR, $lang['Error_no_attachment'] . " 404 File Not Found: The File " . $filename . " does not exist."); } exit; } // // End Functions // // // Start Session Management // $userdata = session_pagestart($user_ip, PAGE_INDEX); init_userprefs($userdata); if (!$download_id) { message_die(GENERAL_ERROR, $lang['No_attachment_selected']); } if ($attach_config['disable_mod'] && $userdata['user_level'] != ADMIN) { message_die(GENERAL_MESSAGE, $lang['Attachment_feature_disabled']); } $sql = 'SELECT * FROM ' . ATTACHMENTS_DESC_TABLE . " WHERE attach_id = $download_id"; if (!($result = $db->sql_query($sql))) { message_die(GENERAL_ERROR, 'Could not query attachment informations', '', __LINE__, __FILE__, $sql); } if (!($attachment = $db->sql_fetchrow($result))) { message_die(GENERAL_MESSAGE, $lang['Error_no_attachment']); } $attachment['physical_filename'] = basename($attachment['physical_filename']); $db->sql_freeresult($result); // get forum_id for attachment authorization or private message authorization $authorised = false; $sql = 'SELECT * FROM ' . ATTACHMENTS_TABLE . ' WHERE attach_id = ' . $attachment['attach_id']; if (!($result = $db->sql_query($sql))) { message_die(GENERAL_ERROR, 'Could not query attachment informations', '', __LINE__, __FILE__, $sql); } $auth_pages = $db->sql_fetchrowset($result); $num_auth_pages = $db->sql_numrows($result); for ($i = 0; $i < $num_auth_pages && $authorised == false; $i++) { if (intval($auth_pages[$i]['post_id']) != 0) { $sql = 'SELECT forum_id FROM ' . POSTS_TABLE . ' WHERE post_id = ' . $auth_pages[$i]['post_id']; if ( !($result = $db->sql_query($sql)) ) { message_die(GENERAL_ERROR, 'Could not query post information', '', __LINE__, __FILE__, $sql); } $row = $db->sql_fetchrow($result); $forum_id = $row['forum_id']; $is_auth = array(); $is_auth = auth(AUTH_ALL, $forum_id, $userdata); if ($is_auth['auth_download']) { $authorised = TRUE; } } else { if ( (intval($attach_config['allow_pm_attach'])) && ( ($userdata['user_id'] == $auth_pages[$i]['user_id_2']) || ($userdata['user_id'] == $auth_pages[$i]['user_id_1']) ) || ($userdata['user_level'] == ADMIN) ) { $authorised = TRUE; } } } if (!$authorised) { message_die(GENERAL_MESSAGE, $lang['Sorry_auth_view_attach']); } // // Get Information on currently allowed Extensions // $sql = "SELECT e.extension, g.download_mode FROM " . EXTENSION_GROUPS_TABLE . " g, " . EXTENSIONS_TABLE . " e WHERE (g.allow_group = 1) AND (g.group_id = e.group_id)"; if ( !($result = $db->sql_query($sql)) ) { message_die(GENERAL_ERROR, 'Could not query Allowed Extensions.', '', __LINE__, __FILE__, $sql); } $rows = $db->sql_fetchrowset($result); $num_rows = $db->sql_numrows($result); for ($i = 0; $i < $num_rows; $i++) { $extension = strtolower(trim($rows[$i]['extension'])); $allowed_extensions[] = $extension; $download_mode[$extension] = $rows[$i]['download_mode']; } // // disallowed ? // if ( (!in_array($attachment['extension'], $allowed_extensions)) && ($userdata['user_level'] != ADMIN) ) { message_die(GENERAL_MESSAGE, sprintf($lang['Extension_disabled_after_posting'], $attachment['extension'])); } $download_mode = intval($download_mode[$attachment['extension']]); if ($thumbnail) { $attachment['physical_filename'] = THUMB_DIR . '/t_' . $attachment['physical_filename']; } // // Update download count // if (!$thumbnail) { $sql = 'UPDATE ' . ATTACHMENTS_DESC_TABLE . ' SET download_count = download_count + 1 WHERE attach_id = ' . $attachment['attach_id']; if (!$db->sql_query($sql)) { message_die(GENERAL_ERROR, 'Couldn\'t update attachment download count', '', __LINE__, __FILE__, $sql); } } // // Determine the 'presenting'-method // if ($download_mode == PHYSICAL_LINK) { $server_protocol = ($board_config['cookie_secure']) ? 'https://' : 'http://'; $server_name = preg_replace('/^\/?(.*?)\/?$/', '\1', trim($board_config['server_name'])); $server_port = ($board_config['server_port'] <> 80) ? ':' . trim($board_config['server_port']) : ''; $script_name = preg_replace('/^\/?(.*?)\/?$/', '/\1', trim($board_config['script_path'])); if ($script_name[strlen($script_name)] != '/') { $script_name .= '/'; } if (intval($attach_config['allow_ftp_upload'])) { if (trim($attach_config['download_path']) == '') { message_die(GENERAL_ERROR, 'Physical Download not possible with the current Attachment Setting'); } $url = trim($attach_config['download_path']) . '/' . $attachment['physical_filename']; $redirect_path = $url; } else { $url = $upload_dir . '/' . $attachment['physical_filename']; // $url = preg_replace('/^\/?(.*?\/)?$/', '\1', trim($url)); $redirect_path = $server_protocol . $server_name . $server_port . $script_name . $url; } // Redirect via an HTML form for PITA webservers if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE'))) { header('Refresh: 0; URL=' . $redirect_path); echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><meta http-equiv="refresh" content="0; url=' . $redirect_path . '"><title>Redirect</title></head><body><div align="center">If your browser does not support meta redirection please click <a href="' . $redirect_path . '">HERE</a> to be redirected</div></body></html>'; exit; } // Behave as per HTTP/1.1 spec for others header('Location: ' . $redirect_path); exit; } else { if (intval($attach_config['allow_ftp_upload'])) { // We do not need a download path, we are not downloading physically send_file_to_browser($attachment, ''); exit; } else { send_file_to_browser($attachment, $upload_dir); exit; } } ?>