/** * Misc Settings Sanitization * * @since 1.6 * @param array $input The value inputted in the field * @return string $input Sanitizied value */ function edd_settings_sanitize_misc($input) { global $edd_options; if (!current_user_can('manage_shop_settings')) { return $input; } if (edd_get_file_download_method() != $input['download_method'] || !edd_htaccess_exists()) { // Force the .htaccess files to be updated if the Download method was changed. edd_create_protection_files(true, $input['download_method']); } if (!empty($input['enable_sequential']) && !edd_get_option('enable_sequential')) { // Shows an admin notice about upgrading previous order numbers EDD()->session->set('upgrade_sequential', '1'); } return $input; }
/** * Retrieve the .htaccess rules to wp-content/uploads/edd/ * * @since 1.6 * * @param bool $method * @return mixed|void The htaccess rules */ function edd_get_htaccess_rules($method = false) { if (empty($method)) { $method = edd_get_file_download_method(); } switch ($method) { case 'redirect': // Prevent directory browsing $rules = "Options -Indexes"; break; case 'direct': default: // Prevent directory browsing and direct access to all files, except images (they must be allowed for featured images / thumbnails) $allowed_filetypes = apply_filters('edd_protected_directory_allowed_filetypes', array('jpg', 'png', 'gif', 'mp3', 'ogg')); $rules = "Options -Indexes\n"; $rules .= "deny from all\n"; $rules .= "<FilesMatch '\\.(" . implode('|', $allowed_filetypes) . ")\$'>\n"; $rules .= "Order Allow,Deny\n"; $rules .= "Allow from all\n"; $rules .= "</FilesMatch>\n"; break; } $rules = apply_filters('edd_protected_directory_htaccess_rules', $rules, $method); return $rules; }
/** * Misc File Download Settings Sanitization * * @since 2.5 * @param array $input The value inputted in the field * @return string $input Sanitizied value */ function edd_settings_sanitize_misc_file_downloads($input) { if (!current_user_can('manage_shop_settings')) { return $input; } if (edd_get_file_download_method() != $input['download_method'] || !edd_htaccess_exists()) { // Force the .htaccess files to be updated if the Download method was changed. edd_create_protection_files(true, $input['download_method']); } return $input; }
/** * Process Download * * Handles the file download process. * * @access private * @since 1.0 * @return void */ function edd_process_download() { if (!isset($_GET['download_id']) && isset($_GET['download'])) { $_GET['download_id'] = $_GET['download']; } $args = apply_filters('edd_process_download_args', array('download' => isset($_GET['download_id']) ? (int) $_GET['download_id'] : '', 'email' => isset($_GET['email']) ? rawurldecode($_GET['email']) : '', 'expire' => isset($_GET['expire']) ? rawurldecode($_GET['expire']) : '', 'file_key' => isset($_GET['file']) ? (int) $_GET['file'] : '', 'price_id' => isset($_GET['price_id']) ? (int) $_GET['price_id'] : false, 'key' => isset($_GET['download_key']) ? $_GET['download_key'] : '', 'eddfile' => isset($_GET['eddfile']) ? $_GET['eddfile'] : '', 'ttl' => isset($_GET['ttl']) ? $_GET['ttl'] : '', 'token' => isset($_GET['token']) ? $_GET['token'] : '')); if (!empty($args['eddfile']) && !empty($args['ttl']) && !empty($args['token'])) { // Validate a signed URL that edd_process_signed_download_urlcontains a token $args = edd_process_signed_download_url($args); // Backfill some legacy super globals for backwards compatibility $_GET['download_id'] = $args['download']; $_GET['email'] = $args['email']; $_GET['expire'] = $args['expire']; $_GET['download_key'] = $args['key']; $_GET['price_id'] = $args['price_id']; } elseif (!empty($args['download']) && !empty($args['key']) && !empty($args['email']) && !empty($args['expire']) && isset($args['file_key'])) { // Validate a legacy URL without a token $args = edd_process_legacy_download_url($args); } else { return; } $args['has_access'] = apply_filters('edd_file_download_has_access', $args['has_access'], $args['payment'], $args); //$args['has_access'] = ( edd_logged_in_only() && is_user_logged_in() ) || !edd_logged_in_only() ? true : false; if ($args['payment'] && $args['has_access']) { do_action('edd_process_verified_download', $args['download'], $args['email'], $args['payment'], $args); // Determine the download method set in settings $method = edd_get_file_download_method(); // Payment has been verified, setup the download $download_files = edd_get_download_files($args['download']); $attachment_id = !empty($download_files[$args['file_key']]['attachment_id']) ? absint($download_files[$args['file_key']]['attachment_id']) : false; /* * If we have an attachment ID stored, use get_attached_file() to retrieve absolute URL * If this fails or returns a relative path, we fail back to our own absolute URL detection */ if ($attachment_id && 'attachment' == get_post_type($attachment_id)) { if ('redirect' == $method) { $attached_file = wp_get_attachment_url($attachment_id); } else { $attached_file = get_attached_file($attachment_id, false); // Confirm the file exists if (!file_exists($attached_file)) { $attached_file = false; } } if ($attached_file) { $requested_file = $attached_file; } } // If we didn't find a file from the attachment, grab the given URL if (!isset($requested_file)) { $requested_file = isset($download_files[$args['file_key']]['file']) ? $download_files[$args['file_key']]['file'] : ''; } // Allow the file to be altered before any headers are sent $requested_file = apply_filters('edd_requested_file', $requested_file, $download_files, $args['file_key']); if ('x_sendfile' == $method && (!function_exists('apache_get_modules') || !in_array('mod_xsendfile', apache_get_modules()))) { // If X-Sendfile is selected but is not supported, fallback to Direct $method = 'direct'; } $file_details = parse_url($requested_file); $schemes = array('http', 'https'); // Direct URL schemes if ((!isset($file_details['scheme']) || !in_array($file_details['scheme'], $schemes)) && isset($file_details['path']) && file_exists($requested_file)) { /** * Download method is seto to Redirect in settings but an absolute path was provided * We need to switch to a direct download in order for the file to download properly */ $method = 'direct'; } /** * Allow extensions to run actions prior to recording the file download log entry * * @since 2.6.14 */ do_action('edd_process_download_pre_record_log', $requested_file, $args, $method); // Record this file download in the log $user_info = array(); $user_info['email'] = $args['email']; if (is_user_logged_in()) { $user_data = get_userdata(get_current_user_id()); $user_info['id'] = get_current_user_id(); $user_info['name'] = $user_data->display_name; } edd_record_download_in_log($args['download'], $args['file_key'], $user_info, edd_get_ip(), $args['payment'], $args['price_id']); $file_extension = edd_get_file_extension($requested_file); $ctype = edd_get_file_ctype($file_extension); if (!edd_is_func_disabled('set_time_limit') && !ini_get('safe_mode')) { @set_time_limit(0); } if (function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime() && version_compare(phpversion(), '5.4', '<')) { set_magic_quotes_runtime(0); } @session_write_close(); if (function_exists('apache_setenv')) { @apache_setenv('no-gzip', 1); } @ini_set('zlib.output_compression', 'Off'); do_action('edd_process_download_headers', $requested_file, $args['download'], $args['email'], $args['payment']); nocache_headers(); header("Robots: none"); header("Content-Type: " . $ctype . ""); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=\"" . apply_filters('edd_requested_file_name', basename($requested_file)) . "\""); header("Content-Transfer-Encoding: binary"); // If the file isn't locally hosted, process the redirect if (filter_var($requested_file, FILTER_VALIDATE_URL) && !edd_is_local_file($requested_file)) { edd_deliver_download($requested_file, true); exit; } switch ($method) { case 'redirect': // Redirect straight to the file edd_deliver_download($requested_file, true); break; case 'direct': default: $direct = false; $file_path = $requested_file; if ((!isset($file_details['scheme']) || !in_array($file_details['scheme'], $schemes)) && isset($file_details['path']) && file_exists($requested_file)) { /** This is an absolute path */ $direct = true; $file_path = $requested_file; } else { if (defined('UPLOADS') && strpos($requested_file, UPLOADS) !== false) { /** * This is a local file given by URL so we need to figure out the path * UPLOADS is always relative to ABSPATH * site_url() is the URL to where WordPress is installed */ $file_path = str_replace(site_url(), '', $requested_file); $file_path = realpath(ABSPATH . $file_path); $direct = true; } else { if (strpos($requested_file, content_url()) !== false) { /** This is a local file given by URL so we need to figure out the path */ $file_path = str_replace(content_url(), WP_CONTENT_DIR, $requested_file); $file_path = realpath($file_path); $direct = true; } else { if (strpos($requested_file, set_url_scheme(content_url(), 'https')) !== false) { /** This is a local file given by an HTTPS URL so we need to figure out the path */ $file_path = str_replace(set_url_scheme(content_url(), 'https'), WP_CONTENT_DIR, $requested_file); $file_path = realpath($file_path); $direct = true; } } } } // Set the file size header header("Content-Length: " . @filesize($file_path)); // Now deliver the file based on the kind of software the server is running / has enabled if (stristr(getenv('SERVER_SOFTWARE'), 'lighttpd')) { header("X-LIGHTTPD-send-file: {$file_path}"); } elseif ($direct && (stristr(getenv('SERVER_SOFTWARE'), 'nginx') || stristr(getenv('SERVER_SOFTWARE'), 'cherokee'))) { // We need a path relative to the domain $file_path = str_ireplace(realpath($_SERVER['DOCUMENT_ROOT']), '', $file_path); header("X-Accel-Redirect: /{$file_path}"); } if ($direct) { edd_deliver_download($file_path); } else { // The file supplied does not have a discoverable absolute path edd_deliver_download($requested_file, true); } break; } edd_die(); } else { $error_message = __('You do not have permission to download this file', 'easy-digital-downloads'); wp_die(apply_filters('edd_deny_download_message', $error_message, __('Purchase Verification Failed', 'easy-digital-downloads')), __('Error', 'easy-digital-downloads'), array('response' => 403)); } exit; }
/** * Get system info * * @since 2.0 * @access public * @global object $wpdb Used to query the database using the WordPress Database API * @global array $edd_options Array of all EDD options * @return string $return A string containing the info to output */ function edd_tools_sysinfo_get() { global $wpdb, $edd_options; if (!class_exists('Browser')) { require_once EDD_PLUGIN_DIR . 'includes/libraries/browser.php'; } $browser = new Browser(); // Get theme info if (get_bloginfo('version') < '3.4') { $theme_data = get_theme_data(get_stylesheet_directory() . '/style.css'); $theme = $theme_data['Name'] . ' ' . $theme_data['Version']; } else { $theme_data = wp_get_theme(); $theme = $theme_data->Name . ' ' . $theme_data->Version; } // Try to identify the hosting provider $host = edd_get_host(); $return = '### Begin System Info ###' . "\n\n"; // Start with the basics... $return .= '-- Site Info' . "\n\n"; $return .= 'Site URL: ' . site_url() . "\n"; $return .= 'Home URL: ' . home_url() . "\n"; $return .= 'Multisite: ' . (is_multisite() ? 'Yes' : 'No') . "\n"; $return = apply_filters('edd_sysinfo_after_site_info', $return); // Can we determine the site's host? if ($host) { $return .= "\n" . '-- Hosting Provider' . "\n\n"; $return .= 'Host: ' . $host . "\n"; $return = apply_filters('edd_sysinfo_after_host_info', $return); } // The local users' browser information, handled by the Browser class $return .= "\n" . '-- User Browser' . "\n\n"; $return .= $browser; $return = apply_filters('edd_sysinfo_after_user_browser', $return); // WordPress configuration $return .= "\n" . '-- WordPress Configuration' . "\n\n"; $return .= 'Version: ' . get_bloginfo('version') . "\n"; $return .= 'Language: ' . (defined('WPLANG') && WPLANG ? WPLANG : 'en_US') . "\n"; $return .= 'Permalink Structure: ' . (get_option('permalink_structure') ? get_option('permalink_structure') : 'Default') . "\n"; $return .= 'Active Theme: ' . $theme . "\n"; $return .= 'Show On Front: ' . get_option('show_on_front') . "\n"; // Only show page specs if frontpage is set to 'page' if (get_option('show_on_front') == 'page') { $front_page_id = get_option('page_on_front'); $blog_page_id = get_option('page_for_posts'); $return .= 'Page On Front: ' . ($front_page_id != 0 ? get_the_title($front_page_id) . ' (#' . $front_page_id . ')' : 'Unset') . "\n"; $return .= 'Page For Posts: ' . ($blog_page_id != 0 ? get_the_title($blog_page_id) . ' (#' . $blog_page_id . ')' : 'Unset') . "\n"; } // Make sure wp_remote_post() is working $request['cmd'] = '_notify-validate'; $params = array('sslverify' => false, 'timeout' => 60, 'user-agent' => 'EDD/' . EDD_VERSION, 'body' => $request); $response = wp_remote_post('https://www.paypal.com/cgi-bin/webscr', $params); if (!is_wp_error($response) && $response['response']['code'] >= 200 && $response['response']['code'] < 300) { $WP_REMOTE_POST = 'wp_remote_post() works'; } else { $WP_REMOTE_POST = 'wp_remote_post() does not work'; } $return .= 'Remote Post: ' . $WP_REMOTE_POST . "\n"; $return .= 'Table Prefix: ' . 'Length: ' . strlen($wpdb->prefix) . ' Status: ' . (strlen($wpdb->prefix) > 16 ? 'ERROR: Too long' : 'Acceptable') . "\n"; $return .= 'WP_DEBUG: ' . (defined('WP_DEBUG') ? WP_DEBUG ? 'Enabled' : 'Disabled' : 'Not set') . "\n"; $return .= 'Memory Limit: ' . WP_MEMORY_LIMIT . "\n"; $return .= 'Registered Post Stati: ' . implode(', ', get_post_stati()) . "\n"; $return = apply_filters('edd_sysinfo_after_wordpress_config', $return); // EDD configuration $return .= "\n" . '-- EDD Configuration' . "\n\n"; $return .= 'Version: ' . EDD_VERSION . "\n"; $return .= 'Upgraded From: ' . get_option('edd_version_upgraded_from', 'None') . "\n"; $return .= 'Test Mode: ' . (edd_is_test_mode() ? "Enabled\n" : "Disabled\n"); $return .= 'Ajax: ' . (!edd_is_ajax_disabled() ? "Enabled\n" : "Disabled\n"); $return .= 'Guest Checkout: ' . (edd_no_guest_checkout() ? "Disabled\n" : "Enabled\n"); $return .= 'Symlinks: ' . (apply_filters('edd_symlink_file_downloads', isset($edd_options['symlink_file_downloads'])) && function_exists('symlink') ? "Enabled\n" : "Disabled\n"); $return .= 'Download Method: ' . ucfirst(edd_get_file_download_method()) . "\n"; $return .= 'Currency Code: ' . edd_get_currency() . "\n"; $return .= 'Currency Position: ' . edd_get_option('currency_position', 'before') . "\n"; $return .= 'Decimal Separator: ' . edd_get_option('decimal_separator', '.') . "\n"; $return .= 'Thousands Separator: ' . edd_get_option('thousands_separator', ',') . "\n"; $return = apply_filters('edd_sysinfo_after_edd_config', $return); // EDD pages $return .= "\n" . '-- EDD Page Configuration' . "\n\n"; $return .= 'Checkout: ' . (!empty($edd_options['purchase_page']) ? "Valid\n" : "Invalid\n"); $return .= 'Checkout Page: ' . (!empty($edd_options['purchase_page']) ? get_permalink($edd_options['purchase_page']) . "\n" : "Unset\n"); $return .= 'Success Page: ' . (!empty($edd_options['success_page']) ? get_permalink($edd_options['success_page']) . "\n" : "Unset\n"); $return .= 'Failure Page: ' . (!empty($edd_options['failure_page']) ? get_permalink($edd_options['failure_page']) . "\n" : "Unset\n"); $return .= 'Downloads Slug: ' . (defined('EDD_SLUG') ? '/' . EDD_SLUG . "\n" : "/downloads\n"); $return = apply_filters('edd_sysinfo_after_edd_pages', $return); // EDD gateways $return .= "\n" . '-- EDD Gateway Configuration' . "\n\n"; $active_gateways = edd_get_enabled_payment_gateways(); if ($active_gateways) { $default_gateway_is_active = edd_is_gateway_active(edd_get_default_gateway()); if ($default_gateway_is_active) { $default_gateway = edd_get_default_gateway(); $default_gateway = $active_gateways[$default_gateway]['admin_label']; } else { $default_gateway = 'Test Payment'; } $gateways = array(); foreach ($active_gateways as $gateway) { $gateways[] = $gateway['admin_label']; } $return .= 'Enabled Gateways: ' . implode(', ', $gateways) . "\n"; $return .= 'Default Gateway: ' . $default_gateway . "\n"; } else { $return .= 'Enabled Gateways: None' . "\n"; } $return = apply_filters('edd_sysinfo_after_edd_gateways', $return); // EDD Taxes $return .= "\n" . '-- EDD Tax Configuration' . "\n\n"; $return .= 'Taxes: ' . (edd_use_taxes() ? "Enabled\n" : "Disabled\n"); $return .= 'Tax Rate: ' . edd_get_tax_rate() * 100 . "\n"; $return .= 'Display On Checkout: ' . (!empty($edd_options['checkout_include_tax']) ? "Displayed\n" : "Not Displayed\n"); $return .= 'Prices Include Tax: ' . (edd_prices_include_tax() ? "Yes\n" : "No\n"); $rates = edd_get_tax_rates(); if (!empty($rates)) { $return .= 'Country / State Rates: ' . "\n"; foreach ($rates as $rate) { $return .= ' Country: ' . $rate['country'] . ', State: ' . $rate['state'] . ', Rate: ' . $rate['rate'] . "\n"; } } $return = apply_filters('edd_sysinfo_after_edd_taxes', $return); // EDD Templates $dir = get_stylesheet_directory() . '/edd_templates/*'; if (is_dir($dir) && count(glob("{$dir}/*")) !== 0) { $return .= "\n" . '-- EDD Template Overrides' . "\n\n"; foreach (glob($dir) as $file) { $return .= 'Filename: ' . basename($file) . "\n"; } $return = apply_filters('edd_sysinfo_after_edd_templates', $return); } // WordPress active plugins $return .= "\n" . '-- WordPress Active Plugins' . "\n\n"; $plugins = get_plugins(); $active_plugins = get_option('active_plugins', array()); foreach ($plugins as $plugin_path => $plugin) { if (!in_array($plugin_path, $active_plugins)) { continue; } $return .= $plugin['Name'] . ': ' . $plugin['Version'] . "\n"; } $return = apply_filters('edd_sysinfo_after_wordpress_plugins', $return); // WordPress inactive plugins $return .= "\n" . '-- WordPress Inactive Plugins' . "\n\n"; foreach ($plugins as $plugin_path => $plugin) { if (in_array($plugin_path, $active_plugins)) { continue; } $return .= $plugin['Name'] . ': ' . $plugin['Version'] . "\n"; } $return = apply_filters('edd_sysinfo_after_wordpress_plugins_inactive', $return); if (is_multisite()) { // WordPress Multisite active plugins $return .= "\n" . '-- Network Active Plugins' . "\n\n"; $plugins = wp_get_active_network_plugins(); $active_plugins = get_site_option('active_sitewide_plugins', array()); foreach ($plugins as $plugin_path) { $plugin_base = plugin_basename($plugin_path); if (!array_key_exists($plugin_base, $active_plugins)) { continue; } $plugin = get_plugin_data($plugin_path); $return .= $plugin['Name'] . ': ' . $plugin['Version'] . "\n"; } $return = apply_filters('edd_sysinfo_after_wordpress_ms_plugins', $return); } // Server configuration (really just versioning) $return .= "\n" . '-- Webserver Configuration' . "\n\n"; $return .= 'PHP Version: ' . PHP_VERSION . "\n"; $return .= 'MySQL Version: ' . $wpdb->db_version() . "\n"; $return .= 'Webserver Info: ' . $_SERVER['SERVER_SOFTWARE'] . "\n"; $return = apply_filters('edd_sysinfo_after_webserver_config', $return); // PHP configs... now we're getting to the important stuff $return .= "\n" . '-- PHP Configuration' . "\n\n"; $return .= 'Safe Mode: ' . (ini_get('safe_mode') ? 'Enabled' : 'Disabled' . "\n"); $return .= 'Memory Limit: ' . ini_get('memory_limit') . "\n"; $return .= 'Upload Max Size: ' . ini_get('upload_max_filesize') . "\n"; $return .= 'Post Max Size: ' . ini_get('post_max_size') . "\n"; $return .= 'Upload Max Filesize: ' . ini_get('upload_max_filesize') . "\n"; $return .= 'Time Limit: ' . ini_get('max_execution_time') . "\n"; $return .= 'Max Input Vars: ' . ini_get('max_input_vars') . "\n"; $return .= 'Display Errors: ' . (ini_get('display_errors') ? 'On (' . ini_get('display_errors') . ')' : 'N/A') . "\n"; $return = apply_filters('edd_sysinfo_after_php_config', $return); // PHP extensions and such $return .= "\n" . '-- PHP Extensions' . "\n\n"; $return .= 'cURL: ' . (function_exists('curl_init') ? 'Supported' : 'Not Supported') . "\n"; $return .= 'fsockopen: ' . (function_exists('fsockopen') ? 'Supported' : 'Not Supported') . "\n"; $return .= 'SOAP Client: ' . (class_exists('SoapClient') ? 'Installed' : 'Not Installed') . "\n"; $return .= 'Suhosin: ' . (extension_loaded('suhosin') ? 'Installed' : 'Not Installed') . "\n"; $return = apply_filters('edd_sysinfo_after_php_ext', $return); // Session stuff $return .= "\n" . '-- Session Configuration' . "\n\n"; $return .= 'EDD Use Sessions: ' . (defined('EDD_USE_PHP_SESSIONS') && EDD_USE_PHP_SESSIONS ? 'Enforced' : (EDD()->session->use_php_sessions() ? 'Enabled' : 'Disabled')) . "\n"; $return .= 'Session: ' . (isset($_SESSION) ? 'Enabled' : 'Disabled') . "\n"; // The rest of this is only relevant is session is enabled if (isset($_SESSION)) { $return .= 'Session Name: ' . esc_html(ini_get('session.name')) . "\n"; $return .= 'Cookie Path: ' . esc_html(ini_get('session.cookie_path')) . "\n"; $return .= 'Save Path: ' . esc_html(ini_get('session.save_path')) . "\n"; $return .= 'Use Cookies: ' . (ini_get('session.use_cookies') ? 'On' : 'Off') . "\n"; $return .= 'Use Only Cookies: ' . (ini_get('session.use_only_cookies') ? 'On' : 'Off') . "\n"; } $return = apply_filters('edd_sysinfo_after_session_config', $return); $return .= "\n" . '### End System Info ###'; return $return; }
/** * Process add-on Downloads * * Handles the file download process for add-ons. * * @access private * @since 1.1 * @return void */ function affwp_process_add_on_download() { if (!isset($_GET['add_on'])) { return; } if (!is_user_logged_in()) { return; } $add_on = absint($_GET['add_on']); if ('download' != get_post_type($add_on)) { return; } $has_ultimate_license = in_array(3, affwp_get_users_price_ids()); $has_professional_license = in_array(2, affwp_get_users_price_ids()); if (!($has_ultimate_license || $has_professional_license)) { wp_die('You need either an Ultimate or Professional license to download this add-on', 'Error', array('response' => 403)); } $user_info = array(); $user_data = get_userdata(get_current_user_id()); $user_info['email'] = $user_data->user_email; $user_info['id'] = $user_data->ID; $user_info['name'] = $user_data->display_name; edd_record_download_in_log($add_on, 0, $user_info, edd_get_ip(), 0, 0); $download_files = edd_get_download_files($add_on); $requested_file = $download_files[0]['file']; $file_extension = edd_get_file_extension($requested_file); $ctype = edd_get_file_ctype($file_extension); if (!edd_is_func_disabled('set_time_limit') && !ini_get('safe_mode')) { set_time_limit(0); } if (function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime()) { set_magic_quotes_runtime(0); } @session_write_close(); if (function_exists('apache_setenv')) { @apache_setenv('no-gzip', 1); } @ini_set('zlib.output_compression', 'Off'); nocache_headers(); header("Robots: none"); header("Content-Type: " . $ctype . ""); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=\"" . basename($requested_file) . "\""); header("Content-Transfer-Encoding: binary"); $method = edd_get_file_download_method(); if ('x_sendfile' == $method && (!function_exists('apache_get_modules') || !in_array('mod_xsendfile', apache_get_modules()))) { // If X-Sendfile is selected but is not supported, fallback to Direct $method = 'direct'; } switch ($method) { case 'redirect': // Redirect straight to the file header("Location: " . $requested_file); break; case 'direct': default: $direct = false; $file_details = parse_url($requested_file); $schemes = array('http', 'https'); // Direct URL schemes if ((!isset($file_details['scheme']) || !in_array($file_details['scheme'], $schemes)) && isset($file_details['path']) && file_exists($requested_file)) { /** This is an absolute path */ $direct = true; $file_path = $requested_file; } else { if (defined('UPLOADS') && strpos($requested_file, UPLOADS) !== false) { /** * This is a local file given by URL so we need to figure out the path * UPLOADS is always relative to ABSPATH * site_url() is the URL to where WordPress is installed */ $file_path = str_replace(site_url(), '', $requested_file); $file_path = realpath(ABSPATH . $file_path); $direct = true; } else { if (strpos($requested_file, WP_CONTENT_URL) !== false) { /** This is a local file given by URL so we need to figure out the path */ $file_path = str_replace(WP_CONTENT_URL, WP_CONTENT_DIR, $requested_file); $file_path = realpath($file_path); $direct = true; } } } // Now deliver the file based on the kind of software the server is running / has enabled if (function_exists('apache_get_modules') && in_array('mod_xsendfile', apache_get_modules())) { header("X-Sendfile: {$file_path}"); } elseif (stristr(getenv('SERVER_SOFTWARE'), 'lighttpd')) { header("X-LIGHTTPD-send-file: {$file_path}"); } elseif (stristr(getenv('SERVER_SOFTWARE'), 'nginx') || stristr(getenv('SERVER_SOFTWARE'), 'cherokee')) { // We need a path relative to the domain $file_path = str_ireplace($_SERVER['DOCUMENT_ROOT'], '', $file_path); header("X-Accel-Redirect: /{$file_path}"); } else { if ($direct) { edd_deliver_download($file_path); } else { // The file supplied does not have a discoverable absolute path header("Location: " . $requested_file); } } break; } edd_die(); exit; }
/** * Retrieve the .htaccess rules to wp-content/uploads/edd/ * * @since 1.6 * @return string The htaccess rules */ function edd_get_htaccess_rules() { $method = edd_get_file_download_method(); switch ($method) { case 'redirect': // Prevent directory browsing $rules = "Options -Indexes"; break; case 'direct': default: // Prevent directory browsing and direct access to all files, except images (they must be allowed for featured images / thumbnails) $rules = "Options -Indexes\n"; $rules .= "deny from all\n"; $rules .= "<FilesMatch '\\.(jpg|png|gif)\$'>\n"; $rules .= "Order Allow,Deny\n"; $rules .= "Allow from all\n"; $rules .= "</FilesMatch>\n"; break; } $rules = apply_filters('edd_protected_directory_htaccess_rules', $rules); return $rules; }
/** * Process Download * * Handles the file download process. * * @access private * @since 1.0 * @return void */ function edd_process_download() { $args = apply_filters('edd_process_download_args', array('download' => isset($_GET['download']) ? (int) $_GET['download'] : '', 'email' => isset($_GET['email']) ? rawurldecode($_GET['email']) : '', 'expire' => isset($_GET['expire']) ? base64_decode(rawurldecode($_GET['expire'])) : '', 'file_key' => isset($_GET['file']) ? (int) $_GET['file'] : '', 'price_id' => isset($_GET['price_id']) ? (int) $_GET['price_id'] : false, 'key' => isset($_GET['download_key']) ? $_GET['download_key'] : '')); if ($args['download'] === '' || $args['email'] === '' || $args['file_key'] === '') { return false; } extract($args); $payment = edd_verify_download_link($download, $key, $email, $expire, $file_key); // Defaulting this to true for now because the method below doesn't work well $has_access = apply_filters('edd_file_download_has_access', true, $payment, $args); //$has_access = ( edd_logged_in_only() && is_user_logged_in() ) || !edd_logged_in_only() ? true : false; if ($payment && $has_access) { do_action('edd_process_verified_download', $download, $email); // Payment has been verified, setup the download $download_files = edd_get_download_files($download); $requested_file = apply_filters('edd_requested_file', $download_files[$file_key]['file'], $download_files, $file_key); $user_info = array(); $user_info['email'] = $email; if (is_user_logged_in()) { global $user_ID; $user_data = get_userdata($user_ID); $user_info['id'] = $user_ID; $user_info['name'] = $user_data->display_name; } edd_record_download_in_log($download, $file_key, $user_info, edd_get_ip(), $payment); $file_extension = edd_get_file_extension($requested_file); $ctype = edd_get_file_ctype($file_extension); if (!edd_is_func_disabled('set_time_limit') && !ini_get('safe_mode')) { set_time_limit(0); } if (function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime()) { set_magic_quotes_runtime(0); } @session_write_close(); if (function_exists('apache_setenv')) { @apache_setenv('no-gzip', 1); } @ini_set('zlib.output_compression', 'Off'); nocache_headers(); header("Robots: none"); header("Content-Type: " . $ctype . ""); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=\"" . apply_filters('edd_requested_file_name', basename($requested_file)) . "\";"); header("Content-Transfer-Encoding: binary"); $method = edd_get_file_download_method(); switch ($method) { case 'redirect': // Redirect straight to the file header("Location: " . $requested_file); break; case 'direct': default: $file_path = realpath($requested_file); if (strpos($requested_file, 'http://') === false && strpos($requested_file, 'https://') === false && strpos($requested_file, 'ftp://') === false && file_exists($file_path)) { /** This is an absolute path */ edd_deliver_download($file_path); } else { if (strpos($requested_file, WP_CONTENT_URL) !== false) { /** This is a local file given by URL so we need to figure out the path */ $upload_dir = wp_upload_dir(); $file_path = str_replace(WP_CONTENT_URL, WP_CONTENT_DIR, $requested_file); $file_path = realpath($file_path); edd_deliver_download($file_path); } else { // This is a remote file, but since we are using the Direct method, we have to simply redirect to it header("Location: " . $requested_file); } } break; } edd_die(); } else { $error_message = __('You do not have permission to download this file', 'edd'); wp_die(apply_filters(' edd_deny_download_message', $error_message, __('Purchase Verification Failed', 'edd'))); } exit; }
/** * Deliver the file download * * @since 3.2.4 * @return void */ public function process_package_download() { if (isset($_GET['key']) && isset($_GET['id']) && isset($_GET['license']) && isset($_GET['expires'])) { $id = absint(urldecode($_GET['id'])); $hash = urldecode($_GET['key']); $license = sanitize_text_field(urldecode($_GET['license'])); $expires = is_numeric($_GET['expires']) ? $_GET['expires'] : urldecode(base64_decode($_GET['expires'])); do_action('edd_sl_before_package_download', $id, $hash, $license, $expires); if (time() > $expires) { wp_die(__('Your download link has expired', 'edd_sl'), __('Error', 'edd_sl'), array('response' => 401)); } if (empty($license)) { wp_die(__('No license key provided', 'edd_sl'), __('Error', 'edd_sl'), array('response' => 401)); } if (!edd_software_licensing()->is_download_id_valid_for_license($id, $license)) { wp_die(__('Invalid license supplied', 'edd_sl'), __('Error', 'edd_sl'), array('response' => 401)); } $requested_file = $this->get_download_package($id, $license, $hash, $expires); $file_extension = edd_get_file_extension($requested_file); $ctype = edd_get_file_ctype($file_extension); if (!edd_is_func_disabled('set_time_limit') && !ini_get('safe_mode')) { set_time_limit(0); } if (function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime()) { set_magic_quotes_runtime(0); } @session_write_close(); if (function_exists('apache_setenv')) { @apache_setenv('no-gzip', 1); } @ini_set('zlib.output_compression', 'Off'); nocache_headers(); header("Robots: none"); header("Content-Type: " . $ctype . ""); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=\"" . apply_filters('edd_requested_file_name', basename($requested_file)) . "\";"); header("Content-Transfer-Encoding: binary"); $method = edd_get_file_download_method(); if ('x_sendfile' == $method && (!function_exists('apache_get_modules') || !in_array('mod_xsendfile', apache_get_modules()))) { // If X-Sendfile is selected but is not supported, fallback to Direct $method = 'direct'; } $file_details = parse_url($requested_file); $schemes = array('http', 'https'); // Direct URL schemes if ((!isset($file_details['scheme']) || !in_array($file_details['scheme'], $schemes)) && isset($file_details['path']) && file_exists($requested_file)) { /** * Download method is set to to Redirect in settings but an absolute path was provided * We need to switch to a direct download in order for the file to download properly */ $method = 'direct'; } switch ($method) { case 'redirect': // Redirect straight to the file header("Location: " . $requested_file); break; case 'direct': default: $direct = false; if ((!isset($file_details['scheme']) || !in_array($file_details['scheme'], $schemes)) && isset($file_details['path']) && file_exists($requested_file)) { /** This is an absolute path */ $direct = true; $file_path = $requested_file; } else { if (defined('UPLOADS') && strpos($requested_file, UPLOADS) !== false) { /** * This is a local file given by URL so we need to figure out the path * UPLOADS is always relative to ABSPATH * site_url() is the URL to where WordPress is installed */ $file_path = str_replace(site_url(), '', $requested_file); $file_path = realpath(ABSPATH . $file_path); $direct = true; } else { if (strpos($requested_file, WP_CONTENT_URL) !== false) { /** This is a local file given by URL so we need to figure out the path */ $file_path = str_replace(WP_CONTENT_URL, WP_CONTENT_DIR, $requested_file); $file_path = realpath($file_path); $direct = true; } } } // Now deliver the file based on the kind of software the server is running / has enabled if (function_exists('apache_get_modules') && in_array('mod_xsendfile', apache_get_modules())) { header("X-Sendfile: {$file_path}"); } elseif (stristr(getenv('SERVER_SOFTWARE'), 'lighttpd')) { header("X-LIGHTTPD-send-file: {$file_path}"); } elseif (stristr(getenv('SERVER_SOFTWARE'), 'nginx') || stristr(getenv('SERVER_SOFTWARE'), 'cherokee')) { // We need a path relative to the domain $file_path = str_ireplace($_SERVER['DOCUMENT_ROOT'], '', $file_path); header("X-Accel-Redirect: /{$file_path}"); } if ($direct) { edd_deliver_download($file_path); } else { // The file supplied does not have a discoverable absolute path header("Location: " . $requested_file); } break; } edd_die(); } else { wp_die(__('You do not have permission to download this file', 'edd_sl'), __('Error', 'edd_sl'), array('response' => 401)); } exit; }