1<?php
2// Copyright (C) 2010-2016 Combodo SARL
3//
4//   This file is part of iTop.
5//
6//   iTop is free software; you can redistribute it and/or modify
7//   it under the terms of the GNU Affero General Public License as published by
8//   the Free Software Foundation, either version 3 of the License, or
9//   (at your option) any later version.
10//
11//   iTop is distributed in the hope that it will be useful,
12//   but WITHOUT ANY WARRANTY; without even the implied warranty of
13//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14//   GNU Affero General Public License for more details.
15//
16//   You should have received a copy of the GNU Affero General Public License
17//   along with iTop. If not, see <http://www.gnu.org/licenses/>
18
19
20/**
21 * Handles various ajax requests
22 *
23 * @copyright   Copyright (C) 2010-2016 Combodo SARL
24 * @license     http://opensource.org/licenses/AGPL-3.0
25 */
26
27require_once('../approot.inc.php');
28require_once(APPROOT.'application/utils.inc.php');
29
30
31if (array_key_exists('HTTP_IF_MODIFIED_SINCE', $_SERVER) && (strlen($_SERVER['HTTP_IF_MODIFIED_SINCE']) > 0))
32{
33	// The content is garanteed to be unmodified since the URL includes a signature based on the contents of the document
34	header('Last-Modified: Mon, 1 January 2018 00:00:00 GMT', true, 304); // Any date in the past
35	exit;
36}
37
38try
39{
40	require_once(APPROOT.'/application/application.inc.php');
41	require_once(APPROOT.'/application/webpage.class.inc.php');
42	require_once(APPROOT.'/application/ajaxwebpage.class.inc.php');
43	require_once(APPROOT.'/application/startup.inc.php');
44
45	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
46
47	$oPage = new ajax_page("");
48	$oPage->no_cache();
49
50	$operation = utils::ReadParam('operation', '');
51	$sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class');
52
53	switch($operation)
54	{
55		case 'download_document':
56			// Fixing security hole from bug N°1227, disabling by default attachment from legacy portal.
57			$sRequestedPortalId = ((MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) && ($sClass === 'Attachment')) ? 'backoffice' : null;
58			LoginWebPage::DoLoginEx($sRequestedPortalId, false);
59			$id = utils::ReadParam('id', '');
60			$sField = utils::ReadParam('field', '');
61			if ($sClass == 'Attachment')
62			{
63				$iCacheSec = 31556926; // One year ahead: an attachment cannot change
64			}
65			else
66			{
67				$iCacheSec = (int)utils::ReadParam('cache', 0);
68			}
69			if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField))
70			{
71				ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'attachment');
72				if ($iCacheSec > 0)
73				{
74					$oPage->add_header("Expires: "); // Reset the value set in ajax_page
75					$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
76					$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
77					$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
78				}
79			}
80			break;
81
82		case 'download_inlineimage':
83			// No login is required because the "secret" protects us
84			// Benefit: the inline image can be inserted into any HTML (templating = $this->html(public_log)$)
85			$id = utils::ReadParam('id', '');
86			$sSecret = utils::ReadParam('s', '');
87			$iCacheSec = 31556926; // One year ahead: an inline image cannot change
88			if (!empty($id) && !empty($sSecret))
89			{
90				ormDocument::DownloadDocument($oPage, 'InlineImage', $id, 'contents', 'inline', 'secret', $sSecret);
91				$oPage->add_header("Expires: "); // Reset the value set in ajax_page
92				$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
93				$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
94				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
95			}
96			break;
97
98		case 'dict':
99			$sSignature = Utils::ReadParam('s', ''); // Sanitization prevents / and ..
100			$oPage = new ajax_page(""); // New page to cleanup the no_cache done above
101			$oPage->SetContentType('text/javascript');
102			$oPage->add_header('Cache-control: public, max-age=86400'); // Cache for 24 hours
103			$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
104			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
105			break;
106
107		default:
108		$oPage->p("Invalid query.");
109	}
110
111	$oPage->output();
112}
113catch (Exception $e)
114{
115	// note: transform to cope with XSS attacks
116	echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8');
117	IssueLog::Error($e->getMessage()."\nDebug trace:\n".$e->getTraceAsString());
118}
119
120