/**
* Run the controller
*/
public function run()
{
$strFile = \Input::get('file', true);
if ($strFile != '') {
// Make sure there are no attempts to hack the file system
if (preg_match('@^\\.+@i', $strFile) || preg_match('@\\.+/@i', $strFile) || preg_match('@(://)+@i', $strFile)) {
header('HTTP/1.1 404 Not Found');
die('Invalid file name');
}
// Limit downloads to the files directory
if (!preg_match('@^' . preg_quote(\Config::get('uploadPath'), '@') . '@i', $strFile)) {
header('HTTP/1.1 404 Not Found');
die('Invalid path');
}
// Check whether the file exists
if (!is_file(TL_ROOT . '/' . $strFile)) {
header('HTTP/1.1 404 Not Found');
die('File not found');
}
// find the path in the database
if (($objFile = \FilesModel::findOneByPath($strFile)) !== null) {
// authenticate the frontend user
\FrontendUser::getInstance()->authenticate();
// check if file is protected
if (!\Controller::isVisibleElement($objFile)) {
$objHandler = new $GLOBALS['TL_PTY']['error_403']();
$objHandler->generate($strFile);
} elseif ($objFile->pid) {
// check if parent folders are proteced
do {
$objFile = \FilesModel::findById($objFile->pid);
if (!\Controller::isVisibleElement($objFile)) {
$objHandler = new $GLOBALS['TL_PTY']['error_403']();
$objHandler->generate($strFile);
}
} while ($objFile->pid);
}
}
// get the file
$objFile = new \File($strFile);
// Make sure no output buffer is active
// @see http://ch2.php.net/manual/en/function.fpassthru.php#74080
while (@ob_end_clean()) {
}
// Prevent session locking (see #2804)
session_write_close();
// Disable zlib.output_compression (see #6717)
@ini_set('zlib.output_compression', 'Off');
// Set headers
header('Content-Type: ' . $objFile->mime);
header('Content-Length: ' . $objFile->filesize);
// Disable maximum execution time
@ini_set('max_execution_time', 0);
// Output the file
readfile(TL_ROOT . '/' . $objFile->path);
}
// Stop the script (see #4565)
exit;
}
/**
* Save callback for the DCA fields.
* Converts any file path to a {{file::*}} insert tag.
*
* @param mixed $varValue The ipnut value
*
* @return string The processed value
*/
public function saveCallback($varValue)
{
// search for the file
if (($objFile = \FilesModel::findOneByPath(urldecode($varValue))) !== null) {
// convert the uuid
if (version_compare(VERSION . '.' . BUILD, '3.5.1', '<')) {
$uuid = \String::binToUuid($objFile->uuid);
} else {
$uuid = \StringUtil::binToUuid($objFile->uuid);
}
// convert to insert tag
$varValue = "{{file::{$uuid}}}";
}
// return the value
return $varValue;
}
