/** * Run the controller */ public function run() { $strFile = \Input::get('file', true); if ($strFile != '') { // Make sure there are no attempts to hack the file system if (preg_match('@^\\.+@i', $strFile) || preg_match('@\\.+/@i', $strFile) || preg_match('@(://)+@i', $strFile)) { header('HTTP/1.1 404 Not Found'); die('Invalid file name'); } // Limit downloads to the files directory if (!preg_match('@^' . preg_quote(\Config::get('uploadPath'), '@') . '@i', $strFile)) { header('HTTP/1.1 404 Not Found'); die('Invalid path'); } // Check whether the file exists if (!is_file(TL_ROOT . '/' . $strFile)) { header('HTTP/1.1 404 Not Found'); die('File not found'); } // find the path in the database if (($objFile = \FilesModel::findOneByPath($strFile)) !== null) { // authenticate the frontend user \FrontendUser::getInstance()->authenticate(); // check if file is protected if (!\Controller::isVisibleElement($objFile)) { $objHandler = new $GLOBALS['TL_PTY']['error_403'](); $objHandler->generate($strFile); } elseif ($objFile->pid) { // check if parent folders are proteced do { $objFile = \FilesModel::findById($objFile->pid); if (!\Controller::isVisibleElement($objFile)) { $objHandler = new $GLOBALS['TL_PTY']['error_403'](); $objHandler->generate($strFile); } } while ($objFile->pid); } } // get the file $objFile = new \File($strFile); // Make sure no output buffer is active // @see http://ch2.php.net/manual/en/function.fpassthru.php#74080 while (@ob_end_clean()) { } // Prevent session locking (see #2804) session_write_close(); // Disable zlib.output_compression (see #6717) @ini_set('zlib.output_compression', 'Off'); // Set headers header('Content-Type: ' . $objFile->mime); header('Content-Length: ' . $objFile->filesize); // Disable maximum execution time @ini_set('max_execution_time', 0); // Output the file readfile(TL_ROOT . '/' . $objFile->path); } // Stop the script (see #4565) exit; }
/** * Save callback for the DCA fields. * Converts any file path to a {{file::*}} insert tag. * * @param mixed $varValue The ipnut value * * @return string The processed value */ public function saveCallback($varValue) { // search for the file if (($objFile = \FilesModel::findOneByPath(urldecode($varValue))) !== null) { // convert the uuid if (version_compare(VERSION . '.' . BUILD, '3.5.1', '<')) { $uuid = \String::binToUuid($objFile->uuid); } else { $uuid = \StringUtil::binToUuid($objFile->uuid); } // convert to insert tag $varValue = "{{file::{$uuid}}}"; } // return the value return $varValue; }