/**
* Load the content of the given item. ($element MUST be an absolute path!)
*
* Note that this function does 'fixup' the loaded content, which MAY result in recursive
* invocation of this function to load each of the dectected sub-items. This way we can easily handle
* 'flattening' CSS which uses the @import statement, etc.
*/
function load_one($type, $http_base, $base, $root, $element)
{
global $do_not_load;
$uri = path_remove_dot_segments($base . '/' . $element);
$path = str_replace("\\", '/', realpath($uri));
/* Windows can handle '/' so we're OK with the replace here; makes strpos() below work on all platforms */
/*
* only allow a load when the CSS/JS is indeed within document-root:
*
* as path_remove_dot_segments() will remove ALL '../' directory bits, any attempt to grab, say,
* ../../../../../../../../../etc/passwd
* will fail as path_remove_dot_segments() will have DAMAGED the path and $element
* does not point within the $root path any more!
*/
$my_content = null;
if (is_file($path) && strpos($path, $root) === 0) {
//echo "<pre>$type, $http_base, \n$base, \n$root, $element, \n$uri --> $path, " . strpos($path, $root);
$my_content = '';
if (!$do_not_load) {
$my_content = file_get_contents($path);
}
} else {
send_response_status_header(404);
// Not Found
die("\n" . get_response_code_string(404) . " - Combiner: not a legal path: {$type}, {$http_base}, \n{$base}, \n{$root}, {$element}, \n{$uri} --> {$path}, " . strpos($path, $root));
}
if ($my_content === false) {
send_response_status_header(404);
// Not Found
die("\n" . get_response_code_string(404) . " - Combiner: failed to load data from file: type='{$type}', element='{$element}'\n");
}
switch ($type) {
case 'css':
/*
* Before we go and optimize the CSS (or not), we fix up the CSS for IE7/8/... by adding the
*
* behavior: url(PIE.php);
*
* line in every definition which has a 'border-radius'.
*
* We do it this way to ensure all styles are patched correctly; previously this was done by hand in the
* various CSS files, resulting in quite a few ommisions in the base css files and also the templates' ones.
*
* As we now force all CSS+JS requests through here, we can easily fix this kind of oddity very consistently
* by performing the fix in code, right here.
*
* As the result is cached, this effort is only required once. Which would happen at install time when
* you run the 'cache priming' action, resulting in a fully set up cache when you go 'live'.
*/
$my_content = fixup_css($my_content, $http_base, $type, $base, $root, $element);
break;
default:
$my_content = fixup_js($my_content, $http_base, $type, $base, $root, $element);
break;
}
return $my_content;
}
/**
* Process the 'download' event
*
* Send the file content of the specified file for download by the client.
* Only files residing within the directory tree rooted by the
* 'basedir' (options['URLpath4FileManagedDirTree']) will be allowed to be downloaded.
*
* Expected parameters:
*
* $_POST['file'] filepath of the file to be downloaded
*
* $_POST['filter'] optional mimetype filter string, amy be the part up to and
* including the slash '/' or the full mimetype. Only files
* matching this (set of) mimetypes will be listed.
* Examples: 'image/' or 'application/zip'
*
* On errors a HTTP 403 error response will be sent instead.
*/
protected function onDownload()
{
$emsg = null;
$file_arg = null;
$file = null;
$jserr = array('status' => 1);
try {
if (!$this->options['download']) {
throw new FileManagerException('disabled:download');
}
$v_ex_code = 'nofile';
$file_arg = $this->getPOSTparam('file');
$mime_filter = $this->getPOSTparam('filter', $this->options['filter']);
$mime_filters = $this->getAllowedMimeTypes($mime_filter);
$legal_url = null;
$file = null;
$mime = null;
$meta = null;
if (!empty($file_arg)) {
$legal_url = $this->rel2abs_legal_url_path($file_arg);
// must transform here so alias/etc. expansions inside legal_url_path2file_path() get a chance:
$file = $this->legal_url_path2file_path($legal_url);
if (is_readable($file)) {
if (is_file($file)) {
$meta = $this->getFileInfo($file, $legal_url);
$mime = $meta->getMimeType();
if (!$this->IsAllowedMimeType($mime, $mime_filters)) {
$v_ex_code = 'extension';
} else {
$v_ex_code = null;
}
} else {
$mime = 'text/directory';
}
}
}
$fileinfo = array('legal_url' => $legal_url, 'file' => $file, 'mime' => $mime, 'meta_data' => $meta, 'mime_filter' => $mime_filter, 'mime_filters' => $mime_filters, 'validation_failure' => $v_ex_code);
if (!empty($this->options['DownloadIsAuthorized_cb']) && function_exists($this->options['DownloadIsAuthorized_cb']) && !$this->options['DownloadIsAuthorized_cb']($this, 'download', $fileinfo)) {
$v_ex_code = $fileinfo['validation_failure'];
if (empty($v_ex_code)) {
$v_ex_code = 'authorized';
}
}
if (!empty($v_ex_code)) {
throw new FileManagerException($v_ex_code);
}
$legal_url = $fileinfo['legal_url'];
$file = $fileinfo['file'];
$meta = $fileinfo['meta_data'];
$mime = $fileinfo['mime'];
$mime_filter = $fileinfo['mime_filter'];
$mime_filters = $fileinfo['mime_filters'];
if ($fd = fopen($file, 'rb')) {
$fsize = filesize($file);
$fi = pathinfo($legal_url);
$hdrs = array();
// see also: http://www.boutell.com/newfaq/creating/forcedownload.html
switch ($mime) {
// add here more mime types for different file types and special handling by the client on download
case 'application/pdf':
$hdrs[] = 'Content-Type: ' . $mime;
break;
default:
$hdrs[] = 'Content-Type: application/octet-stream';
break;
}
$hdrs[] = 'Content-Disposition: attachment; filename="' . $fi['basename'] . '"';
// use 'attachment' to force a download
$hdrs[] = 'Content-length: ' . $fsize;
$hdrs[] = 'Expires: 0';
$hdrs[] = 'Cache-Control: must-revalidate, post-check=0, pre-check=0';
$hdrs[] = '!Cache-Control: private';
// flag as FORCED APPEND; use this to open files directly
$this->sendHttpHeaders($hdrs);
fpassthru($fd);
fclose($fd);
return;
}
$emsg = 'read_error';
} catch (FileManagerException $e) {
$emsg = $e->getMessage();
} catch (Exception $e) {
// catching other severe failures; since this can be anything and should only happen in the direst of circumstances, we don't bother translating
$emsg = $e->getMessage();
}
// we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
send_response_status_header(403);
$this->modify_json4exception($jserr, $emsg, 'file = ' . $this->mkSafe4Display($file_arg . ', destination path = ' . $file));
$this->sendHttpHeaders('Content-Type: text/plain');
// Safer for iframes: the 'application/json' mime type would cause FF3.X to pop up a save/view dialog when transmitting these error reports!
// when we fail here, it's pretty darn bad and nothing to it.
// just push the error JSON and go.
echo json_encode($jserr);
}
/**
* Process the 'download' event
*
* Send the file content of the specified file for download by the client.
* Only files residing within the directory tree rooted by the
* 'basedir' (options['directory']) will be allowed to be downloaded.
*
* Expected parameters:
*
* $_POST['file'] filepath of the file to be downloaded
*
* $_POST['filter'] optional mimetype filter string, amy be the part up to and
* including the slash '/' or the full mimetype. Only files
* matching this (set of) mimetypes will be listed.
* Examples: 'image/' or 'application/zip'
*
* On errors a HTTP 403 error response will be sent instead.
*/
protected function onDownload()
{
try {
if (!$this->options['download']) {
throw new FileManagerException('disabled');
}
$v_ex_code = 'nofile';
$file_arg = $this->getPOSTparam('file');
$mime_filter = $this->getPOSTparam('filter', $this->options['filter']);
$mime_filters = $this->getAllowedMimeTypes($mime_filter);
$legal_url = null;
$file = null;
$mime = null;
$meta = null;
if (!empty($file_arg)) {
$legal_url = $this->rel2abs_legal_url_path($file_arg);
// must transform here so alias/etc. expansions inside legal_url_path2file_path() get a chance:
$file = $this->legal_url_path2file_path($legal_url);
if (is_readable($file)) {
if (is_file($file)) {
$meta = $this->getFileInfo($file, $legal_url);
$mime = $meta->getMimeType();
if (!$this->IsAllowedMimeType($mime, $mime_filters)) {
$v_ex_code = 'extension';
} else {
$v_ex_code = null;
}
} else {
$mime = 'text/directory';
}
}
}
$fileinfo = array('legal_url' => $legal_url, 'file' => $file, 'mime' => $mime, 'meta_data' => $meta, 'mime_filter' => $mime_filter, 'mime_filters' => $mime_filters, 'validation_failure' => $v_ex_code);
if (!empty($this->options['DownloadIsAuthorized_cb']) && function_exists($this->options['DownloadIsAuthorized_cb']) && !$this->options['DownloadIsAuthorized_cb']($this, 'download', $fileinfo)) {
$v_ex_code = $fileinfo['validation_failure'];
if (empty($v_ex_code)) {
$v_ex_code = 'authorized';
}
}
if (!empty($v_ex_code)) {
throw new FileManagerException($v_ex_code);
}
$legal_url = $fileinfo['legal_url'];
$file = $fileinfo['file'];
$meta = $fileinfo['meta_data'];
$mime = $fileinfo['mime'];
$mime_filter = $fileinfo['mime_filter'];
$mime_filters = $fileinfo['mime_filters'];
if ($fd = fopen($file, 'rb')) {
$fsize = filesize($file);
$fi = pathinfo($legal_url);
$hdrs = array();
// see also: http://www.boutell.com/newfaq/creating/forcedownload.html
switch ($mime) {
// add here more mime types for different file types and special handling by the client on download
case 'application/pdf':
$hdrs[] = 'Content-Type: ' . $mime;
break;
default:
$hdrs[] = 'Content-Type: application/octet-stream';
break;
}
$hdrs[] = 'Content-Disposition: attachment; filename="' . $fi['basename'] . '"';
// use 'attachment' to force a download
$hdrs[] = 'Content-length: ' . $fsize;
$hdrs[] = 'Expires: 0';
$hdrs[] = 'Cache-Control: must-revalidate, post-check=0, pre-check=0';
$hdrs[] = '!Cache-Control: private';
// flag as FORCED APPEND; use this to open files directly
$this->sendHttpHeaders($hdrs);
fpassthru($fd);
fclose($fd);
}
} catch (FileManagerException $e) {
// we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
send_response_status_header(403);
echo $e->getMessage();
} catch (Exception $e) {
// we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
send_response_status_header(403);
echo $e->getMessage();
}
}
<?php
// Define default location
if (!defined('BASE_PATH')) {
die('BASE_PATH not defined!');
}
send_response_status_header(403);
echo '<p>' . $ccms['lang']['system']['error_403content'] . '</p>';
if (0) {
dump_request_to_logfile(array('invocation_mode' => get_interpreter_invocation_mode(), 'response(404)' => get_response_code_string(404), 'response(403)' => get_response_code_string(403), 'response(302)' => get_response_code_string(302)), true);
}
/**
* Process the 'download' event
*
* Send the file content of the specified file for download by the client.
* Only files residing within the directory tree rooted by the
* 'basedir' (options['directory']) will be allowed to be downloaded.
*
* Expected parameters:
*
* $_GET['file'] filepath of the file to be downloaded
*
* $_GET['filter'] optional mimetype filter string, amy be the part up to and
* including the slash '/' or the full mimetype. Only files
* matching this (set of) mimetypes will be listed.
* Examples: 'image/' or 'application/zip'
*
* On errors a HTTP 403 error response will be sent instead.
*/
protected function onDownload()
{
try {
if (!$this->options['download']) {
throw new FileManagerException('disabled');
}
$file_arg = $this->getPOSTparam('file');
if (empty($file_arg)) {
throw new FileManagerException('nofile');
}
$legal_url = $this->rel2abs_legal_url_path($file_arg);
//$legal_url = self::enforceTrailingSlash($legal_url);
$url = $this->legal2abs_url_path($legal_url);
// must transform here so alias/etc. expansions inside legal_url_path2file_path() get a chance:
$file = $this->legal_url_path2file_path($legal_url);
if (!is_readable($file)) {
throw new FileManagerException('nofile');
}
$mime_filter = $this->getGETparam('filter', $this->options['filter']);
$mime = $this->getMimeType($file);
$mime_filters = $this->getAllowedMimeTypes($mime_filter);
if (is_file($file)) {
if (!$this->IsAllowedMimeType($mime, $mime_filters)) {
throw new FileManagerException('extension');
}
} else {
throw new FileManagerException('nofile');
}
$fileinfo = array('file' => $file, 'url' => $url, 'legal_url' => $legal_url, 'mime' => $mime, 'mime_filters' => $mime_filters);
if (!empty($this->options['DownloadIsAuthorized_cb']) && function_exists($this->options['DownloadIsAuthorized_cb']) && !$this->options['DownloadIsAuthorized_cb']($this, 'download', $fileinfo)) {
throw new FileManagerException('authorized');
}
if ($fd = fopen($file, 'rb')) {
$fsize = filesize($file);
$path_parts = pathinfo($legal_url);
$ext = strtolower($path_parts["extension"]);
switch ($ext) {
case "pdf":
header('Content-Type: application/pdf');
header('Content-Disposition: attachment; filename="' . $path_parts["basename"] . '"');
// use 'attachment' to force a download
break;
// add here more headers for diff. extensions
// add here more headers for diff. extensions
default:
header('Content-Type: application/octet-stream');
header('Content-Disposition: filename="' . $path_parts["basename"] . '"');
break;
}
header("Content-length: {$fsize}");
header("Cache-control: private");
//use this to open files directly
fpassthru($fd);
fclose($fd);
}
} catch (FileManagerException $e) {
// we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
if (function_exists('send_response_status_header')) {
send_response_status_header(403);
echo $e->getMessage();
} else {
// no smarties detection whether we're running on fcgi or bare iron, we assume the latter:
header('HTTP/1.0 403 Forbidden', true, 403);
echo $e->getMessage();
}
} catch (Exception $e) {
// we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
if (function_exists('send_response_status_header')) {
send_response_status_header(403);
echo $e->getMessage();
} else {
// no smarties detection whether we're running on fcgi or bare iron, we assume the latter:
header('HTTP/1.0 403 Forbidden', true, 403);
echo $e->getMessage();
}
}
}
set_ccms_opt('page_name', $pagereq);
set_ccms_opt('responsecode', $rcode);
$dbpage = $rcode;
// loop so we use the second round to fetch the error page itself.
}
}
// end of 2-round loop
if ($content === false || $rcode !== false) {
// failure occurred! produce a 'response code page' after all!
if (!$rcode) {
$rcode = 404;
}
setup_ccms_for_40x_error($rcode, $pagereq);
}
if (is_http_response_code($ccms['responsecode'])) {
send_response_status_header($ccms['responsecode']);
}
if ($cfg['IN_DEVELOPMENT_ENVIRONMENT']) {
dump_request_to_logfile(array('invocation_mode' => get_interpreter_invocation_mode()), true, true, true);
}
} else {
/*
* OPERATION MODE ==
*
* 3) Start dynamic sitemap creation used by spiders and various webmaster tools.
*
* e.g. You can use this function to submit a dynamic sitemap to Google Webmaster Tools.
*/
$dir = $cfg['rootdir'];
// [i_a] the original substr($_SERVER[]) var would fail when called with this req URL: index.php?page=sitemap
/*