1<?php 2// Copyright (C) 2010-2016 Combodo SARL 3// 4// This file is part of iTop. 5// 6// iTop is free software; you can redistribute it and/or modify 7// it under the terms of the GNU Affero General Public License as published by 8// the Free Software Foundation, either version 3 of the License, or 9// (at your option) any later version. 10// 11// iTop is distributed in the hope that it will be useful, 12// but WITHOUT ANY WARRANTY; without even the implied warranty of 13// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14// GNU Affero General Public License for more details. 15// 16// You should have received a copy of the GNU Affero General Public License 17// along with iTop. If not, see <http://www.gnu.org/licenses/> 18 19 20/** 21 * Handles various ajax requests 22 * 23 * @copyright Copyright (C) 2010-2016 Combodo SARL 24 * @license http://opensource.org/licenses/AGPL-3.0 25 */ 26 27require_once('../approot.inc.php'); 28require_once(APPROOT.'application/utils.inc.php'); 29 30 31if (array_key_exists('HTTP_IF_MODIFIED_SINCE', $_SERVER) && (strlen($_SERVER['HTTP_IF_MODIFIED_SINCE']) > 0)) 32{ 33 // The content is garanteed to be unmodified since the URL includes a signature based on the contents of the document 34 header('Last-Modified: Mon, 1 January 2018 00:00:00 GMT', true, 304); // Any date in the past 35 exit; 36} 37 38try 39{ 40 require_once(APPROOT.'/application/application.inc.php'); 41 require_once(APPROOT.'/application/webpage.class.inc.php'); 42 require_once(APPROOT.'/application/ajaxwebpage.class.inc.php'); 43 require_once(APPROOT.'/application/startup.inc.php'); 44 45 require_once(APPROOT.'/application/loginwebpage.class.inc.php'); 46 47 $oPage = new ajax_page(""); 48 $oPage->no_cache(); 49 50 $operation = utils::ReadParam('operation', ''); 51 $sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class'); 52 53 switch($operation) 54 { 55 case 'download_document': 56 // Fixing security hole from bug N°1227, disabling by default attachment from legacy portal. 57 $sRequestedPortalId = ((MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) && ($sClass === 'Attachment')) ? 'backoffice' : null; 58 LoginWebPage::DoLoginEx($sRequestedPortalId, false); 59 $id = utils::ReadParam('id', ''); 60 $sField = utils::ReadParam('field', ''); 61 if ($sClass == 'Attachment') 62 { 63 $iCacheSec = 31556926; // One year ahead: an attachment cannot change 64 } 65 else 66 { 67 $iCacheSec = (int)utils::ReadParam('cache', 0); 68 } 69 if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField)) 70 { 71 ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'attachment'); 72 if ($iCacheSec > 0) 73 { 74 $oPage->add_header("Expires: "); // Reset the value set in ajax_page 75 $oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec"); 76 $oPage->add_header("Pragma: cache"); // Reset the value set .... where ? 77 $oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok 78 } 79 } 80 break; 81 82 case 'download_inlineimage': 83 // No login is required because the "secret" protects us 84 // Benefit: the inline image can be inserted into any HTML (templating = $this->html(public_log)$) 85 $id = utils::ReadParam('id', ''); 86 $sSecret = utils::ReadParam('s', ''); 87 $iCacheSec = 31556926; // One year ahead: an inline image cannot change 88 if (!empty($id) && !empty($sSecret)) 89 { 90 ormDocument::DownloadDocument($oPage, 'InlineImage', $id, 'contents', 'inline', 'secret', $sSecret); 91 $oPage->add_header("Expires: "); // Reset the value set in ajax_page 92 $oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec"); 93 $oPage->add_header("Pragma: cache"); // Reset the value set .... where ? 94 $oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok 95 } 96 break; 97 98 case 'dict': 99 $sSignature = Utils::ReadParam('s', ''); // Sanitization prevents / and .. 100 $oPage = new ajax_page(""); // New page to cleanup the no_cache done above 101 $oPage->SetContentType('text/javascript'); 102 $oPage->add_header('Cache-control: public, max-age=86400'); // Cache for 24 hours 103 $oPage->add_header("Pragma: cache"); // Reset the value set .... where ? 104 $oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js')); 105 break; 106 107 default: 108 $oPage->p("Invalid query."); 109 } 110 111 $oPage->output(); 112} 113catch (Exception $e) 114{ 115 // note: transform to cope with XSS attacks 116 echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8'); 117 IssueLog::Error($e->getMessage()."\nDebug trace:\n".$e->getTraceAsString()); 118} 119 120