1<?php
2/**
3 * XOOPS restricted file access
4 *
5 * You may not change or alter any portion of this comment or credits
6 * of supporting developers from this source code or any supporting source code
7 * which is considered copyrighted (c) material of the original comment or credit authors.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
11 *
12 * @copyright       (c) 2000-2016 XOOPS Project (www.xoops.org)
13 * @license             GNU GPL 2 (http://www.gnu.org/licenses/gpl-2.0.html)
14 * @package             core
15 * @since               2.4.0
16 * @author              Taiwen Jiang <phppp@users.sourceforge.net>
17 */
18
19defined('DS') or define('DS', DIRECTORY_SEPARATOR);
20defined('NWLINE') or define('NWLINE', "\n");
21
22$xoopsOption['nocommon'] = true;
23require_once __DIR__ . DS . 'mainfile.php';
24
25error_reporting(0);
26
27include_once XOOPS_ROOT_PATH . DS . 'include' . DS . 'defines.php';
28include_once XOOPS_ROOT_PATH . DS . 'include' . DS . 'version.php';
29require_once XOOPS_ROOT_PATH . DS . 'class' . DS . 'xoopsload.php';
30
31XoopsLoad::load('xoopskernel');
32$xoops = new xos_kernel_Xoops2();
33$xoops->pathTranslation();
34
35// Fetch path from query string if path is not set, i.e. through a direct request
36if (!isset($path) && !empty($_SERVER['QUERY_STRING'])) {
37    $path      = $_SERVER['QUERY_STRING'];
38    $path      = (substr($path, 0, 1) === '/') ? substr($path, 1) : $path;
39    $path_type = substr($path, 0, strpos($path, '/'));
40    if (!isset($xoops->paths[$path_type])) {
41        $path      = 'XOOPS/' . $path;
42        $path_type = 'XOOPS';
43    }
44}
45
46//We are not allowing output of xoops_data
47if ($path_type === 'var') {
48    header('HTTP/1.0 404 Not Found');
49    exit();
50}
51
52$file = realpath($xoops->path($path));
53$dir  = realpath($xoops->paths[$path_type][0]);
54
55//We are not allowing directory travessal either
56if (false === strpos($file, $dir)) {
57    header('HTTP/1.0 404 Not Found');
58    exit();
59}
60
61//We can't output empty files and php files do not output
62if (empty($file) || strpos($file, '.php') !== false) {
63    header('HTTP/1.0 404 Not Found');
64    exit();
65}
66
67$file = $xoops->path($path);
68// Is there really a file to output?
69if (!file_exists($file)) {
70    header('HTTP/1.0 404 Not Found');
71    exit();
72}
73
74$ext   = substr($file, strrpos($file, '.') + 1);
75$types = include $xoops->path('include/mimetypes.inc.php');
76//$content_type = isset($types[$ext]) ? $types[$ext] : 'text/plain';
77//Do not output garbage
78if (!isset($types[$ext])) {
79    header('HTTP/1.0 404 Not Found');
80    exit();
81}
82
83//Output now
84// seconds, minutes, hours, days
85$expires = 60 * 60 * 24 * 15;
86header('Pragma: public');
87header('Cache-Control: maxage=' . $expires);
88header('Expires: ' . gmdate('D, d M Y H:i:s', time() + $expires) . ' GMT');
89header('Content-type: ' . $types[$ext]);
90$handle = fopen($file, 'rb');
91while (!feof($handle)) {
92    $buffer = fread($handle, 4096);
93    echo $buffer;
94}
95fclose($handle);
96exit();
97