1<?php 2/** 3 * XOOPS restricted file access 4 * 5 * You may not change or alter any portion of this comment or credits 6 * of supporting developers from this source code or any supporting source code 7 * which is considered copyrighted (c) material of the original comment or credit authors. 8 * This program is distributed in the hope that it will be useful, 9 * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 11 * 12 * @copyright (c) 2000-2016 XOOPS Project (www.xoops.org) 13 * @license GNU GPL 2 (http://www.gnu.org/licenses/gpl-2.0.html) 14 * @package core 15 * @since 2.4.0 16 * @author Taiwen Jiang <phppp@users.sourceforge.net> 17 */ 18 19defined('DS') or define('DS', DIRECTORY_SEPARATOR); 20defined('NWLINE') or define('NWLINE', "\n"); 21 22$xoopsOption['nocommon'] = true; 23require_once __DIR__ . DS . 'mainfile.php'; 24 25error_reporting(0); 26 27include_once XOOPS_ROOT_PATH . DS . 'include' . DS . 'defines.php'; 28include_once XOOPS_ROOT_PATH . DS . 'include' . DS . 'version.php'; 29require_once XOOPS_ROOT_PATH . DS . 'class' . DS . 'xoopsload.php'; 30 31XoopsLoad::load('xoopskernel'); 32$xoops = new xos_kernel_Xoops2(); 33$xoops->pathTranslation(); 34 35// Fetch path from query string if path is not set, i.e. through a direct request 36if (!isset($path) && !empty($_SERVER['QUERY_STRING'])) { 37 $path = $_SERVER['QUERY_STRING']; 38 $path = (substr($path, 0, 1) === '/') ? substr($path, 1) : $path; 39 $path_type = substr($path, 0, strpos($path, '/')); 40 if (!isset($xoops->paths[$path_type])) { 41 $path = 'XOOPS/' . $path; 42 $path_type = 'XOOPS'; 43 } 44} 45 46//We are not allowing output of xoops_data 47if ($path_type === 'var') { 48 header('HTTP/1.0 404 Not Found'); 49 exit(); 50} 51 52$file = realpath($xoops->path($path)); 53$dir = realpath($xoops->paths[$path_type][0]); 54 55//We are not allowing directory travessal either 56if (false === strpos($file, $dir)) { 57 header('HTTP/1.0 404 Not Found'); 58 exit(); 59} 60 61//We can't output empty files and php files do not output 62if (empty($file) || strpos($file, '.php') !== false) { 63 header('HTTP/1.0 404 Not Found'); 64 exit(); 65} 66 67$file = $xoops->path($path); 68// Is there really a file to output? 69if (!file_exists($file)) { 70 header('HTTP/1.0 404 Not Found'); 71 exit(); 72} 73 74$ext = substr($file, strrpos($file, '.') + 1); 75$types = include $xoops->path('include/mimetypes.inc.php'); 76//$content_type = isset($types[$ext]) ? $types[$ext] : 'text/plain'; 77//Do not output garbage 78if (!isset($types[$ext])) { 79 header('HTTP/1.0 404 Not Found'); 80 exit(); 81} 82 83//Output now 84// seconds, minutes, hours, days 85$expires = 60 * 60 * 24 * 15; 86header('Pragma: public'); 87header('Cache-Control: maxage=' . $expires); 88header('Expires: ' . gmdate('D, d M Y H:i:s', time() + $expires) . ' GMT'); 89header('Content-type: ' . $types[$ext]); 90$handle = fopen($file, 'rb'); 91while (!feof($handle)) { 92 $buffer = fread($handle, 4096); 93 echo $buffer; 94} 95fclose($handle); 96exit(); 97