Пример #1
0
/**
 * Load the content of the given item. ($element MUST be an absolute path!)
 *
 * Note that this function does 'fixup' the loaded content, which MAY result in recursive
 * invocation of this function to load each of the dectected sub-items. This way we can easily handle
 * 'flattening' CSS which uses the @import statement, etc.
 */
function load_one($type, $http_base, $base, $root, $element)
{
    global $do_not_load;
    $uri = path_remove_dot_segments($base . '/' . $element);
    $path = str_replace("\\", '/', realpath($uri));
    /* Windows can handle '/' so we're OK with the replace here; makes strpos() below work on all platforms */
    /*
     * only allow a load when the CSS/JS is indeed within document-root:
     *
     * as path_remove_dot_segments() will remove ALL '../' directory bits, any attempt to grab, say,
     *   ../../../../../../../../../etc/passwd
     * will fail as path_remove_dot_segments() will have DAMAGED the path and $element
     * does not point within the $root path any more!
     */
    $my_content = null;
    if (is_file($path) && strpos($path, $root) === 0) {
        //echo "<pre>$type, $http_base, \n$base, \n$root, $element, \n$uri --> $path, " . strpos($path, $root);
        $my_content = '';
        if (!$do_not_load) {
            $my_content = file_get_contents($path);
        }
    } else {
        send_response_status_header(404);
        // Not Found
        die("\n" . get_response_code_string(404) . " - Combiner: not a legal path: {$type}, {$http_base}, \n{$base}, \n{$root}, {$element}, \n{$uri} --> {$path}, " . strpos($path, $root));
    }
    if ($my_content === false) {
        send_response_status_header(404);
        // Not Found
        die("\n" . get_response_code_string(404) . " - Combiner: failed to load data from file: type='{$type}', element='{$element}'\n");
    }
    switch ($type) {
        case 'css':
            /*
             * Before we go and optimize the CSS (or not), we fix up the CSS for IE7/8/... by adding the
             *
             *          behavior: url(PIE.php);
             *
             * line in every definition which has a 'border-radius'.
             *
             * We do it this way to ensure all styles are patched correctly; previously this was done by hand in the
             * various CSS files, resulting in quite a few ommisions in the base css files and also the templates' ones.
             *
             * As we now force all CSS+JS requests through here, we can easily fix this kind of oddity very consistently
             * by performing the fix in code, right here.
             *
             * As the result is cached, this effort is only required once. Which would happen at install time when
             * you run the 'cache priming' action, resulting in a fully set up cache when you go 'live'.
             */
            $my_content = fixup_css($my_content, $http_base, $type, $base, $root, $element);
            break;
        default:
            $my_content = fixup_js($my_content, $http_base, $type, $base, $root, $element);
            break;
    }
    return $my_content;
}
Пример #2
0
 /**
  * Process the 'download' event
  *
  * Send the file content of the specified file for download by the client.
  * Only files residing within the directory tree rooted by the
  * 'basedir' (options['URLpath4FileManagedDirTree']) will be allowed to be downloaded.
  *
  * Expected parameters:
  *
  * $_POST['file']         filepath of the file to be downloaded
  *
  * $_POST['filter']       optional mimetype filter string, amy be the part up to and
  *                        including the slash '/' or the full mimetype. Only files
  *                        matching this (set of) mimetypes will be listed.
  *                        Examples: 'image/' or 'application/zip'
  *
  * On errors a HTTP 403 error response will be sent instead.
  */
 protected function onDownload()
 {
     $emsg = null;
     $file_arg = null;
     $file = null;
     $jserr = array('status' => 1);
     try {
         if (!$this->options['download']) {
             throw new FileManagerException('disabled:download');
         }
         $v_ex_code = 'nofile';
         $file_arg = $this->getPOSTparam('file');
         $mime_filter = $this->getPOSTparam('filter', $this->options['filter']);
         $mime_filters = $this->getAllowedMimeTypes($mime_filter);
         $legal_url = null;
         $file = null;
         $mime = null;
         $meta = null;
         if (!empty($file_arg)) {
             $legal_url = $this->rel2abs_legal_url_path($file_arg);
             // must transform here so alias/etc. expansions inside legal_url_path2file_path() get a chance:
             $file = $this->legal_url_path2file_path($legal_url);
             if (is_readable($file)) {
                 if (is_file($file)) {
                     $meta = $this->getFileInfo($file, $legal_url);
                     $mime = $meta->getMimeType();
                     if (!$this->IsAllowedMimeType($mime, $mime_filters)) {
                         $v_ex_code = 'extension';
                     } else {
                         $v_ex_code = null;
                     }
                 } else {
                     $mime = 'text/directory';
                 }
             }
         }
         $fileinfo = array('legal_url' => $legal_url, 'file' => $file, 'mime' => $mime, 'meta_data' => $meta, 'mime_filter' => $mime_filter, 'mime_filters' => $mime_filters, 'validation_failure' => $v_ex_code);
         if (!empty($this->options['DownloadIsAuthorized_cb']) && function_exists($this->options['DownloadIsAuthorized_cb']) && !$this->options['DownloadIsAuthorized_cb']($this, 'download', $fileinfo)) {
             $v_ex_code = $fileinfo['validation_failure'];
             if (empty($v_ex_code)) {
                 $v_ex_code = 'authorized';
             }
         }
         if (!empty($v_ex_code)) {
             throw new FileManagerException($v_ex_code);
         }
         $legal_url = $fileinfo['legal_url'];
         $file = $fileinfo['file'];
         $meta = $fileinfo['meta_data'];
         $mime = $fileinfo['mime'];
         $mime_filter = $fileinfo['mime_filter'];
         $mime_filters = $fileinfo['mime_filters'];
         if ($fd = fopen($file, 'rb')) {
             $fsize = filesize($file);
             $fi = pathinfo($legal_url);
             $hdrs = array();
             // see also: http://www.boutell.com/newfaq/creating/forcedownload.html
             switch ($mime) {
                 // add here more mime types for different file types and special handling by the client on download
                 case 'application/pdf':
                     $hdrs[] = 'Content-Type: ' . $mime;
                     break;
                 default:
                     $hdrs[] = 'Content-Type: application/octet-stream';
                     break;
             }
             $hdrs[] = 'Content-Disposition: attachment; filename="' . $fi['basename'] . '"';
             // use 'attachment' to force a download
             $hdrs[] = 'Content-length: ' . $fsize;
             $hdrs[] = 'Expires: 0';
             $hdrs[] = 'Cache-Control: must-revalidate, post-check=0, pre-check=0';
             $hdrs[] = '!Cache-Control: private';
             // flag as FORCED APPEND; use this to open files directly
             $this->sendHttpHeaders($hdrs);
             fpassthru($fd);
             fclose($fd);
             return;
         }
         $emsg = 'read_error';
     } catch (FileManagerException $e) {
         $emsg = $e->getMessage();
     } catch (Exception $e) {
         // catching other severe failures; since this can be anything and should only happen in the direst of circumstances, we don't bother translating
         $emsg = $e->getMessage();
     }
     // we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
     send_response_status_header(403);
     $this->modify_json4exception($jserr, $emsg, 'file = ' . $this->mkSafe4Display($file_arg . ', destination path = ' . $file));
     $this->sendHttpHeaders('Content-Type: text/plain');
     // Safer for iframes: the 'application/json' mime type would cause FF3.X to pop up a save/view dialog when transmitting these error reports!
     // when we fail here, it's pretty darn bad and nothing to it.
     // just push the error JSON and go.
     echo json_encode($jserr);
 }
 /**
  * Process the 'download' event
  *
  * Send the file content of the specified file for download by the client.
  * Only files residing within the directory tree rooted by the
  * 'basedir' (options['directory']) will be allowed to be downloaded.
  *
  * Expected parameters:
  *
  * $_POST['file']         filepath of the file to be downloaded
  *
  * $_POST['filter']       optional mimetype filter string, amy be the part up to and
  *                        including the slash '/' or the full mimetype. Only files
  *                        matching this (set of) mimetypes will be listed.
  *                        Examples: 'image/' or 'application/zip'
  *
  * On errors a HTTP 403 error response will be sent instead.
  */
 protected function onDownload()
 {
     try {
         if (!$this->options['download']) {
             throw new FileManagerException('disabled');
         }
         $v_ex_code = 'nofile';
         $file_arg = $this->getPOSTparam('file');
         $mime_filter = $this->getPOSTparam('filter', $this->options['filter']);
         $mime_filters = $this->getAllowedMimeTypes($mime_filter);
         $legal_url = null;
         $file = null;
         $mime = null;
         $meta = null;
         if (!empty($file_arg)) {
             $legal_url = $this->rel2abs_legal_url_path($file_arg);
             // must transform here so alias/etc. expansions inside legal_url_path2file_path() get a chance:
             $file = $this->legal_url_path2file_path($legal_url);
             if (is_readable($file)) {
                 if (is_file($file)) {
                     $meta = $this->getFileInfo($file, $legal_url);
                     $mime = $meta->getMimeType();
                     if (!$this->IsAllowedMimeType($mime, $mime_filters)) {
                         $v_ex_code = 'extension';
                     } else {
                         $v_ex_code = null;
                     }
                 } else {
                     $mime = 'text/directory';
                 }
             }
         }
         $fileinfo = array('legal_url' => $legal_url, 'file' => $file, 'mime' => $mime, 'meta_data' => $meta, 'mime_filter' => $mime_filter, 'mime_filters' => $mime_filters, 'validation_failure' => $v_ex_code);
         if (!empty($this->options['DownloadIsAuthorized_cb']) && function_exists($this->options['DownloadIsAuthorized_cb']) && !$this->options['DownloadIsAuthorized_cb']($this, 'download', $fileinfo)) {
             $v_ex_code = $fileinfo['validation_failure'];
             if (empty($v_ex_code)) {
                 $v_ex_code = 'authorized';
             }
         }
         if (!empty($v_ex_code)) {
             throw new FileManagerException($v_ex_code);
         }
         $legal_url = $fileinfo['legal_url'];
         $file = $fileinfo['file'];
         $meta = $fileinfo['meta_data'];
         $mime = $fileinfo['mime'];
         $mime_filter = $fileinfo['mime_filter'];
         $mime_filters = $fileinfo['mime_filters'];
         if ($fd = fopen($file, 'rb')) {
             $fsize = filesize($file);
             $fi = pathinfo($legal_url);
             $hdrs = array();
             // see also: http://www.boutell.com/newfaq/creating/forcedownload.html
             switch ($mime) {
                 // add here more mime types for different file types and special handling by the client on download
                 case 'application/pdf':
                     $hdrs[] = 'Content-Type: ' . $mime;
                     break;
                 default:
                     $hdrs[] = 'Content-Type: application/octet-stream';
                     break;
             }
             $hdrs[] = 'Content-Disposition: attachment; filename="' . $fi['basename'] . '"';
             // use 'attachment' to force a download
             $hdrs[] = 'Content-length: ' . $fsize;
             $hdrs[] = 'Expires: 0';
             $hdrs[] = 'Cache-Control: must-revalidate, post-check=0, pre-check=0';
             $hdrs[] = '!Cache-Control: private';
             // flag as FORCED APPEND; use this to open files directly
             $this->sendHttpHeaders($hdrs);
             fpassthru($fd);
             fclose($fd);
         }
     } catch (FileManagerException $e) {
         // we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
         send_response_status_header(403);
         echo $e->getMessage();
     } catch (Exception $e) {
         // we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
         send_response_status_header(403);
         echo $e->getMessage();
     }
 }
Пример #4
0
<?php

// Define default location
if (!defined('BASE_PATH')) {
    die('BASE_PATH not defined!');
}
send_response_status_header(403);
echo '<p>' . $ccms['lang']['system']['error_403content'] . '</p>';
if (0) {
    dump_request_to_logfile(array('invocation_mode' => get_interpreter_invocation_mode(), 'response(404)' => get_response_code_string(404), 'response(403)' => get_response_code_string(403), 'response(302)' => get_response_code_string(302)), true);
}
Пример #5
0
 /**
  * Process the 'download' event
  *
  * Send the file content of the specified file for download by the client.
  * Only files residing within the directory tree rooted by the
  * 'basedir' (options['directory']) will be allowed to be downloaded.
  *
  * Expected parameters:
  *
  * $_GET['file']          filepath of the file to be downloaded
  *
  * $_GET['filter']        optional mimetype filter string, amy be the part up to and
  *                        including the slash '/' or the full mimetype. Only files
  *                        matching this (set of) mimetypes will be listed.
  *                        Examples: 'image/' or 'application/zip'
  *
  * On errors a HTTP 403 error response will be sent instead.
  */
 protected function onDownload()
 {
     try {
         if (!$this->options['download']) {
             throw new FileManagerException('disabled');
         }
         $file_arg = $this->getPOSTparam('file');
         if (empty($file_arg)) {
             throw new FileManagerException('nofile');
         }
         $legal_url = $this->rel2abs_legal_url_path($file_arg);
         //$legal_url = self::enforceTrailingSlash($legal_url);
         $url = $this->legal2abs_url_path($legal_url);
         // must transform here so alias/etc. expansions inside legal_url_path2file_path() get a chance:
         $file = $this->legal_url_path2file_path($legal_url);
         if (!is_readable($file)) {
             throw new FileManagerException('nofile');
         }
         $mime_filter = $this->getGETparam('filter', $this->options['filter']);
         $mime = $this->getMimeType($file);
         $mime_filters = $this->getAllowedMimeTypes($mime_filter);
         if (is_file($file)) {
             if (!$this->IsAllowedMimeType($mime, $mime_filters)) {
                 throw new FileManagerException('extension');
             }
         } else {
             throw new FileManagerException('nofile');
         }
         $fileinfo = array('file' => $file, 'url' => $url, 'legal_url' => $legal_url, 'mime' => $mime, 'mime_filters' => $mime_filters);
         if (!empty($this->options['DownloadIsAuthorized_cb']) && function_exists($this->options['DownloadIsAuthorized_cb']) && !$this->options['DownloadIsAuthorized_cb']($this, 'download', $fileinfo)) {
             throw new FileManagerException('authorized');
         }
         if ($fd = fopen($file, 'rb')) {
             $fsize = filesize($file);
             $path_parts = pathinfo($legal_url);
             $ext = strtolower($path_parts["extension"]);
             switch ($ext) {
                 case "pdf":
                     header('Content-Type: application/pdf');
                     header('Content-Disposition: attachment; filename="' . $path_parts["basename"] . '"');
                     // use 'attachment' to force a download
                     break;
                     // add here more headers for diff. extensions
                 // add here more headers for diff. extensions
                 default:
                     header('Content-Type: application/octet-stream');
                     header('Content-Disposition: filename="' . $path_parts["basename"] . '"');
                     break;
             }
             header("Content-length: {$fsize}");
             header("Cache-control: private");
             //use this to open files directly
             fpassthru($fd);
             fclose($fd);
         }
     } catch (FileManagerException $e) {
         // we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
         if (function_exists('send_response_status_header')) {
             send_response_status_header(403);
             echo $e->getMessage();
         } else {
             // no smarties detection whether we're running on fcgi or bare iron, we assume the latter:
             header('HTTP/1.0 403 Forbidden', true, 403);
             echo $e->getMessage();
         }
     } catch (Exception $e) {
         // we don't care whether it's a 404, a 403 or something else entirely: we feed 'em a 403 and that's final!
         if (function_exists('send_response_status_header')) {
             send_response_status_header(403);
             echo $e->getMessage();
         } else {
             // no smarties detection whether we're running on fcgi or bare iron, we assume the latter:
             header('HTTP/1.0 403 Forbidden', true, 403);
             echo $e->getMessage();
         }
     }
 }
Пример #6
0
             set_ccms_opt('page_name', $pagereq);
             set_ccms_opt('responsecode', $rcode);
             $dbpage = $rcode;
             // loop so we use the second round to fetch the error page itself.
         }
     }
     // end of 2-round loop
     if ($content === false || $rcode !== false) {
         // failure occurred! produce a 'response code page' after all!
         if (!$rcode) {
             $rcode = 404;
         }
         setup_ccms_for_40x_error($rcode, $pagereq);
     }
     if (is_http_response_code($ccms['responsecode'])) {
         send_response_status_header($ccms['responsecode']);
     }
     if ($cfg['IN_DEVELOPMENT_ENVIRONMENT']) {
         dump_request_to_logfile(array('invocation_mode' => get_interpreter_invocation_mode()), true, true, true);
     }
 } else {
     /*
      * OPERATION MODE ==
      *
      * 3) Start dynamic sitemap creation used by spiders and various webmaster tools.
      *
      * e.g. You can use this function to submit a dynamic sitemap to Google Webmaster Tools.
      */
     $dir = $cfg['rootdir'];
     // [i_a] the original substr($_SERVER[]) var would fail when called with this req URL: index.php?page=sitemap
     /*