2008-12-16 23:07:33 +00:00
|
|
|
<?php defined("SYSPATH") or die("No direct script access.");
|
|
|
|
|
/**
|
|
|
|
|
* Gallery - a web based photo album viewer and editor
|
2013-01-21 01:22:01 -05:00
|
|
|
* Copyright (C) 2000-2013 Bharat Mediratta
|
2008-12-16 23:07:33 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or (at
|
|
|
|
|
* your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
* General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
/**
|
|
|
|
|
* Proxy access to files in var/albums and var/resizes, making sure that the session user has
|
|
|
|
|
* access to view these files.
|
|
|
|
|
*
|
|
|
|
|
* Security Philosophy: we do not use the information provided to find if the file exists on
|
|
|
|
|
* disk. We use this information only to locate the correct item in the database and then we
|
|
|
|
|
* *only* use information from the database to find and proxy the correct file. This way all user
|
|
|
|
|
* input is sanitized against the database before we perform any file I/O.
|
|
|
|
|
*/
|
|
|
|
|
class File_Proxy_Controller extends Controller {
|
2011-01-10 14:50:30 -08:00
|
|
|
const ALLOW_PRIVATE_GALLERY = true;
|
2009-03-06 02:36:04 +00:00
|
|
|
public function __call($function, $args) {
|
2012-06-05 14:08:15 -07:00
|
|
|
|
|
|
|
|
// Force zlib compression off. Image and movie files are already compressed and
|
|
|
|
|
// recompressing them is CPU intensive.
|
|
|
|
|
if (ini_get("zlib.output_compression")) {
|
|
|
|
|
ini_set("zlib.output_compression", "Off");
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-11 17:54:33 -08:00
|
|
|
// request_uri: gallery3/var/albums/foo/bar.jpg?m=1234
|
2010-01-07 10:55:43 -08:00
|
|
|
$request_uri = rawurldecode(Input::instance()->server("REQUEST_URI"));
|
|
|
|
|
|
2011-01-11 17:54:33 -08:00
|
|
|
// get rid of query parameters
|
|
|
|
|
// request_uri: gallery3/var/albums/foo/bar.jpg
|
2009-05-21 05:54:59 +00:00
|
|
|
$request_uri = preg_replace("/\?.*/", "", $request_uri);
|
2008-12-16 23:07:33 +00:00
|
|
|
|
2010-01-07 10:55:43 -08:00
|
|
|
// var_uri: gallery3/var/
|
2008-12-16 23:07:33 +00:00
|
|
|
$var_uri = url::file("var/");
|
|
|
|
|
|
2021-02-15 13:42:58 -08:00
|
|
|
$compare_uri = url::file(ltrim($request_uri,'/'));
|
|
|
|
|
|
2008-12-16 23:07:33 +00:00
|
|
|
// Make sure that the request is for a file inside var
|
2021-02-15 13:42:58 -08:00
|
|
|
$offset = strpos(rawurldecode($compare_uri), $var_uri);
|
2010-01-07 10:55:43 -08:00
|
|
|
if ($offset !== 0) {
|
2013-01-20 23:54:01 -05:00
|
|
|
$e = new Kohana_404_Exception();
|
|
|
|
|
$e->test_fail_code = 1;
|
|
|
|
|
throw $e;
|
2008-12-16 23:07:33 +00:00
|
|
|
}
|
|
|
|
|
|
2011-01-11 17:54:33 -08:00
|
|
|
// file_uri: albums/foo/bar.jpg
|
2021-02-15 13:42:58 -08:00
|
|
|
$file_uri = substr($compare_uri, strlen($var_uri));
|
2008-12-16 23:07:33 +00:00
|
|
|
|
2011-01-11 17:54:33 -08:00
|
|
|
// type: albums
|
|
|
|
|
// path: foo/bar.jpg
|
2009-05-29 21:23:08 -07:00
|
|
|
list ($type, $path) = explode("/", $file_uri, 2);
|
2008-12-17 04:45:35 +00:00
|
|
|
if ($type != "resizes" && $type != "albums" && $type != "thumbs") {
|
2013-01-20 23:54:01 -05:00
|
|
|
$e = new Kohana_404_Exception();
|
|
|
|
|
$e->test_fail_code = 2;
|
|
|
|
|
throw $e;
|
2008-12-16 23:07:33 +00:00
|
|
|
}
|
|
|
|
|
|
2013-02-26 18:39:59 +01:00
|
|
|
// Get the item model using the path and type (which corresponds to a var subdir)
|
|
|
|
|
$item = item::find_by_path($path, $type);
|
2008-12-16 23:07:33 +00:00
|
|
|
|
2009-11-25 13:22:24 -08:00
|
|
|
if (!$item->loaded()) {
|
2013-01-20 23:54:01 -05:00
|
|
|
$e = new Kohana_404_Exception();
|
|
|
|
|
$e->test_fail_code = 3;
|
|
|
|
|
throw $e;
|
2008-12-17 05:53:05 +00:00
|
|
|
}
|
|
|
|
|
|
2008-12-16 23:07:33 +00:00
|
|
|
// Make sure we have access to the item
|
|
|
|
|
if (!access::can("view", $item)) {
|
2013-01-20 23:54:01 -05:00
|
|
|
$e = new Kohana_404_Exception();
|
|
|
|
|
$e->test_fail_code = 4;
|
|
|
|
|
throw $e;
|
2008-12-16 23:07:33 +00:00
|
|
|
}
|
|
|
|
|
|
2008-12-31 00:18:24 +00:00
|
|
|
// Make sure we have view_full access to the original
|
|
|
|
|
if ($type == "albums" && !access::can("view_full", $item)) {
|
2013-01-20 23:54:01 -05:00
|
|
|
$e = new Kohana_404_Exception();
|
|
|
|
|
$e->test_fail_code = 5;
|
|
|
|
|
throw $e;
|
2008-12-31 00:18:24 +00:00
|
|
|
}
|
|
|
|
|
|
2008-12-17 05:53:05 +00:00
|
|
|
// Don't try to load a directory
|
|
|
|
|
if ($type == "albums" && $item->is_album()) {
|
2013-01-20 23:54:01 -05:00
|
|
|
$e = new Kohana_404_Exception();
|
|
|
|
|
$e->test_fail_code = 6;
|
|
|
|
|
throw $e;
|
2008-12-17 04:45:35 +00:00
|
|
|
}
|
|
|
|
|
|
2013-01-19 08:40:19 +01:00
|
|
|
// Note: this code is roughly duplicated in data_rest, so if you modify this, please look to
|
|
|
|
|
// see if you should make the same change there as well.
|
|
|
|
|
|
2010-01-07 10:55:43 -08:00
|
|
|
if ($type == "albums") {
|
|
|
|
|
$file = $item->file_path();
|
|
|
|
|
} else if ($type == "resizes") {
|
|
|
|
|
$file = $item->resize_path();
|
|
|
|
|
} else {
|
|
|
|
|
$file = $item->thumb_path();
|
|
|
|
|
}
|
|
|
|
|
|
2009-05-29 21:23:08 -07:00
|
|
|
if (!file_exists($file)) {
|
2013-01-20 23:54:01 -05:00
|
|
|
$e = new Kohana_404_Exception();
|
|
|
|
|
$e->test_fail_code = 7;
|
|
|
|
|
throw $e;
|
2008-12-16 23:07:33 +00:00
|
|
|
}
|
|
|
|
|
|
2013-01-24 18:14:14 -05:00
|
|
|
if (gallery::show_profiler()) {
|
|
|
|
|
Profiler::enable();
|
|
|
|
|
$profiler = new Profiler();
|
|
|
|
|
$profiler->render();
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
2010-08-11 21:02:57 -07:00
|
|
|
header("Content-Length: " . filesize($file));
|
|
|
|
|
|
2010-01-04 09:10:12 -08:00
|
|
|
header("Pragma:");
|
|
|
|
|
// Check that the content hasn't expired or it wasn't changed since cached
|
|
|
|
|
expires::check(2592000, $item->updated);
|
|
|
|
|
|
2009-06-30 20:51:02 -07:00
|
|
|
// We don't need to save the session for this request
|
2010-01-31 16:07:41 -08:00
|
|
|
Session::instance()->abort_save();
|
2009-06-30 20:51:02 -07:00
|
|
|
|
2010-01-04 09:10:12 -08:00
|
|
|
expires::set(2592000, $item->updated); // 30 days
|
2009-12-30 09:55:28 -08:00
|
|
|
|
2013-01-20 08:34:12 +01:00
|
|
|
// Dump out the image. If the item is a movie or album, then its thumbnail will be a JPG.
|
|
|
|
|
if (($item->is_movie() || $item->is_album()) && $type == "thumbs") {
|
2010-08-09 22:51:14 -07:00
|
|
|
header("Content-Type: image/jpeg");
|
2009-07-21 12:26:16 -07:00
|
|
|
} else {
|
2009-08-20 12:24:05 +08:00
|
|
|
header("Content-Type: $item->mime_type");
|
2009-07-21 12:26:16 -07:00
|
|
|
}
|
2012-05-08 18:23:09 -07:00
|
|
|
|
2013-01-20 23:54:01 -05:00
|
|
|
if (TEST_MODE) {
|
|
|
|
|
return $file;
|
|
|
|
|
} else {
|
2013-01-21 10:45:34 +01:00
|
|
|
// Don't use Kohana::close_buffers(false) here because that only closes all the buffers
|
|
|
|
|
// that Kohana started. We want to close *all* buffers at this point because otherwise we're
|
|
|
|
|
// going to buffer up whatever file we're proxying (and it may be very large). This may
|
|
|
|
|
// affect embedding or systems with PHP's output_buffering enabled.
|
|
|
|
|
while (ob_get_level()) {
|
|
|
|
|
if (!@ob_end_clean()) {
|
|
|
|
|
// ob_end_clean() can return false if the buffer can't be removed for some reason
|
|
|
|
|
// (zlib output compression buffers sometimes cause problems).
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2013-01-20 23:54:01 -05:00
|
|
|
readfile($file);
|
|
|
|
|
}
|
2008-12-16 23:07:33 +00:00
|
|
|
}
|
|
|
|
|
}
|
