diff options
| -rw-r--r-- | action.php | 160 | ||||
| -rw-r--r-- | include/functions_picture.inc.php | 222 | ||||
| -rw-r--r-- | picture.php | 71 |
3 files changed, 349 insertions, 104 deletions
diff --git a/action.php b/action.php index 7e853ed44..6b21b0fa1 100644 --- a/action.php +++ b/action.php @@ -31,69 +31,127 @@ include_once(PHPWG_ROOT_PATH.'include/common.inc.php'); // Check Access and exit when user status is not ok check_status(ACCESS_GUEST); -function force_download ($filename) +function guess_mime_type($ext) { -//TODO : messages in "lang" - if (!url_is_remote($filename)) + switch ( strtolower($ext) ) { - $filename = realpath($filename); - if (!file_exists($filename)) - { - die("NO FILE HERE"); - } - $file_size = @filesize($filename); - } - else - { - $file_size = 0; + case "jpe": case "jpeg": + case "jpg": $ctype="image/jpeg"; break; + case "png": $ctype="image/png"; break; + case "gif": $ctype="image/gif"; break; + case "tiff": + case "tif": $ctype="image/tiff"; break; + case "txt": $ctype="text/plain"; break; + case "html": + case "htm": $ctype="text/html"; break; + case "xml": $ctype="text/xml"; break; + case "pdf": $ctype="application/pdf"; break; + case "zip": $ctype="application/zip"; break; + case "ogg": $ctype="application/ogg"; break; + default: $ctype="application/octet-stream"; } + return $ctype; +} - $file_extension = strtolower(substr(strrchr($filename,"."),1)); - - switch ($file_extension) { - case "jpe": case "jpeg": - case "jpg": $ctype="image/jpg"; break; - case "png": $ctype="image/png"; break; - case "gif": $ctype="image/gif"; break; - case "pdf": $ctype="application/pdf"; break; - case "zip": $ctype="application/zip"; break; - case "php": - // never allow download of php scripts to protect our conf files - die('Hacking attempt!'); break; - default: $ctype="application/octet-stream"; - } +function do_error( $code, $str ) +{ + header("HTTP/1.1 $code "); + header("Status: $code "); + echo $str ; + exit(); +} + + +if ( !isset($_GET['id']) or !is_numeric($_GET['id']) + or !isset($_GET['part']) + or !in_array($_GET['part'], array('t','e','i','h') ) ) +{ + do_error(400, 'Invalid request - id/part'); +} + +$id = $_GET['id']; +$query = ' +SELECT * FROM '. IMAGES_TABLE.' + WHERE id='.$id.' +;'; + +$result = pwg_query($query); +$element_info = mysql_fetch_assoc($result); +if ( empty($element_info) ) +{ + do_error(404, 'Requested id not found'); +} + +// TODO - check permissions + +include_once(PHPWG_ROOT_PATH.'include/functions_picture.inc.php'); +$file=''; +switch ($_GET['part']) +{ + case 't': + $file = get_thumbnail_path($element_info); + break; + case 'e': + $file = get_element_path($element_info); + break; + case 'i': + $file = get_image_path($element_info); + break; + case 'h': + $file = get_high_path($element_info); + break; +} + +if ( empty($file) ) +{ + do_error(404, 'Requested file not found'); +} + +$http_headers = array(); - header("Pragma: public"); - header("Expires: 0"); - header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); - header("Cache-Control: private",false); - header("Content-Type: $ctype"); - header("Content-Disposition: attachment; filename=\"" - .basename($filename)."\";"); - header("Content-Transfer-Encoding: binary"); - if (isset($file_size) and ($file_size != 0)) +$ctype = null; +if (!url_is_remote($file)) +{ + if ( !@is_readable($file) ) { - header("Content-Length: ".@filesize($filename)); + do_error(404, "Requested file not found - $file"); } - - // Looking at the safe_mode configuration for execution time - if (ini_get('safe_mode') == 0) + $http_headers[] = 'Content-Length: '.@filesize($file); + if ( function_exists('mime_content_type') ) { - @set_time_limit(0); + $ctype = mime_content_type($file); } +} +if (!isset($ctype)) +{ // give it a guess + $ctype = guess_mime_type( get_extension($file) ); +} - @readfile("$filename") or die("File not found."); +$http_headers[] = 'Content-Type: '.$ctype; + +if (!isset($_GET['view'])) +{ + $http_headers[] = 'Content-Disposition: attachment; filename="' + .basename($file).'";'; + $http_headers[] = 'Content-Transfer-Encoding: binary'; } +$http_headers[] = 'Pragma: public'; +$http_headers[] = 'Expires: 0'; +$http_headers[] = 'Cache-Control: must-revalidate, post-check=0, pre-check=0'; -//--------------------------------------------------------- download big picture -if ( isset( $_GET['dwn'] ) ) + +foreach ($http_headers as $header) { -//TODO : verify the path begins with something in galleries_url and that user has access rights to the picture -// in order to avoid hacking atempts by forged url - if (preg_match('/\.\./',$_GET['dwn'])) { - die('Hacking attempt!'); - } - force_download($_GET['dwn']); + header( $header ); } +header("Cache-Control: private",false); //??? + +// Looking at the safe_mode configuration for execution time +if (ini_get('safe_mode') == 0) +{ + @set_time_limit(0); +} + +@readfile($file); -?> +?>
\ No newline at end of file diff --git a/include/functions_picture.inc.php b/include/functions_picture.inc.php new file mode 100644 index 000000000..572ef8207 --- /dev/null +++ b/include/functions_picture.inc.php @@ -0,0 +1,222 @@ +<?php +// +-----------------------------------------------------------------------+ +// | PhpWebGallery - a PHP based picture gallery | +// | Copyright (C) 2003-2006 PhpWebGallery Team - http://phpwebgallery.net | +// +-----------------------------------------------------------------------+ +// | branch : BSF (Best So Far) +// | file : $RCSfile$ +// | last update : $Date$ +// | last modifier : $Author$ +// | revision : $Revision$ +// +-----------------------------------------------------------------------+ +// | This program is free software; you can redistribute it and/or modify | +// | it under the terms of the GNU General Public License as published by | +// | the Free Software Foundation | +// | | +// | This program is distributed in the hope that it will be useful, but | +// | WITHOUT ANY WARRANTY; without even the implied warranty of | +// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | +// | General Public License for more details. | +// | | +// | You should have received a copy of the GNU General Public License | +// | along with this program; if not, write to the Free Software | +// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | +// | USA. | +// +-----------------------------------------------------------------------+ + +/** + * @param element_info array containing element information from db; + * at least 'id', 'path' should be present + */ +function get_element_path($element_info) +{ + $path = get_element_location($element_info); + if ( !url_is_remote($path) ) + { + $path = PHPWG_ROOT_PATH.$path; + } + return $path; +} + +/* + * @param element_info array containing element information from db; + * at least 'id', 'path' should be present + */ +function get_element_url($element_info) +{ + $url = get_element_location($element_info); + if ( !url_is_remote($url) ) + { + $url = get_root_url().$url; + } + // plugins want another url ? + return trigger_event('get_element_url', $url, $element_info); +} + +/** + * Returns the relative path of the element with regards to to the root + * of PWG (not the current page). This function is not intended to be + * called directly from code. + * @param element_info array containing element information from db; + * at least 'id', 'path' should be present + */ +function get_element_location($element_info) +{ + // maybe a cached watermark ? + return trigger_event('get_element_location', + $element_info['path'], $element_info); +} + + +/** + * Returns the PATH to the image to be displayed in the picture page. If the + * element is not a picture, then the representative image or the default + * mime image. The path can be used in the php script, but not sent to the + * browser. + * @param element_info array containing element information from db; + * at least 'id', 'path', 'representative_ext' should be present + */ +function get_image_path($element_info) +{ + global $conf; + $ext = get_extension($element_info['path']); + if (in_array($ext, $conf['picture_ext'])) + { + if (isset($element_info['element_path']) ) + { + return $element_info['element_path']; + } + return get_element_path($element_info); + } + + $path = get_image_location($element_info); + if ( !url_is_remote($path) ) + { + $path = PHPWG_ROOT_PATH.$path; + } + return $path; +} + +/** + * Returns the URL of the image to be displayed in the picture page. If the + * element is not a picture, then the representative image or the default + * mime image. The URL can't be used in the php script, but can be sent to the + * browser. + * @param element_info array containing element information from db; + * at least 'id', 'path', 'representative_ext' should be present + */ +function get_image_url($element_info) +{ + global $conf; + $ext = get_extension($element_info['path']); + if (in_array($ext, $conf['picture_ext'])) + { + if (isset($element_info['element_url']) ) + { + return $element_info['element_url']; + } + return get_element_url($element_info); + } + + $url = get_image_location($element_info); + if ( !url_is_remote($url) ) + { + $url = get_root_url().$url; + } + return $url; +} + +/** + * Returns the relative path of the image (element/representative/mimetype) + * with regards to the root of PWG (not the current page). This function + * is not intended to be called directly from code. + * @param element_info array containing element information from db; + * at least 'id', 'path', 'representative_ext' should be present + */ +function get_image_location($element_info) +{ + if (isset($element_info['representative_ext']) + and $element_info['representative_ext'] != '') + { + $pi = pathinfo($element_info['path']); + $file_wo_ext = get_filename_wo_extension($pi['basename']); + $path = + $pi['dirname'].'/pwg_representative/' + .$file_wo_ext.'.'.$element_info['representative_ext']; + } + else + { + $ext = get_extension($element_info['path']); + $path = get_themeconf('mime_icon_dir'); + $path.= strtolower($ext).'.png'; + } + + // plugins want another location ? + return trigger_event( 'get_image_location', $path, $element_info); +} + + +/* + * @param element_info array containing element information from db; + * at least 'id', 'path', 'has_high' should be present + */ +function get_high_path($element_info) +{ + $path = get_high_location($element_info); + if (!empty($path) and !url_is_remote($path) ) + { + $path = PHPWG_ROOT_PATH.$path; + } + return $path; +} + +/** + * @param element_info array containing element information from db; + * at least 'id', 'path', 'has_high' should be present + */ +function get_high_url($element_info) +{ + $url = get_high_location($element_info); + if (!empty($url) and !url_is_remote($url) ) + { + $url = get_root_url().$url; + } + // plugins want another url ? + return trigger_event('get_high_url', $url, $element_info); +} + +/** + * @param element_info array containing element information from db; + * at least 'id', 'path', 'has_high' should be present + */ +function get_high_location($element_info) +{ + $location = ''; + if ($element_info['has_high'] == 'true') + { + $pi = pathinfo($element_info['path']); + $location=$pi['dirname'].'/pwg_high/'.$pi['basename']; + } + return trigger_event( 'get_high_location', $location, $element_info); +} + + +/** + * @param what_part string one of 't' (thumbnail), 'e' (element), 'i' (image), + * 'h' (high resolution image) + * @param element_info array containing element information from db; + * at least 'id', 'path' should be present + */ +function get_download_url($what_part, $element_info) +{ + $url = get_root_url().'action.php'; + $url = add_url_params($url, + array( + 'id' => $element_info['id'], + 'part' => $what_part, + ) + ); + return trigger_event( 'get_download_url', $url, $element_info); +} + +?>
\ No newline at end of file diff --git a/picture.php b/picture.php index dd7ffa3ae..be5971a6a 100644 --- a/picture.php +++ b/picture.php @@ -28,6 +28,7 @@ define('PHPWG_ROOT_PATH','./'); include_once(PHPWG_ROOT_PATH.'include/common.inc.php'); include(PHPWG_ROOT_PATH.'include/section_init.inc.php'); +include_once(PHPWG_ROOT_PATH.'include/functions_picture.inc.php'); // Check Access and exit when user status is not ok check_status(ACCESS_GUEST); @@ -310,67 +311,34 @@ while ($row = mysql_fetch_assoc($result)) $picture[$i]['is_picture'] = true; } - $cat_directory = dirname($row['path']); - $file_wo_ext = get_filename_wo_extension($row['file']); - // ------ build element_path and element_url - $picture[$i]['element_url'] = $row['path']; - if ( ! url_is_remote($row['path']) ) + $picture[$i]['element_path'] = get_element_path($picture[$i]); + $picture[$i]['element_url'] = get_element_url($picture[$i]); + + // ------ build image_path and image_url + if ($i=='current' or $i=='next') { - $picture[$i]['element_url'] = get_root_url().$row['path']; + $picture[$i]['image_path'] = get_image_path( $picture[$i] ); + $picture[$i]['image_url'] = get_image_url( $picture[$i] ); } - // ------ build image_path and image_url - if ($picture[$i]['is_picture']) + if ($i=='current') { - $picture[$i]['image_path'] = $row['path']; - // if we are working on the "current" element, we search if there is a - // high quality picture - if ($i == 'current') + if ( $picture[$i]['is_picture'] ) { - if (($row['has_high'] == 'true') and ($user['enabled_high'] == 'true')) + if ( $user['enabled_high']=='true' ) { - $url_high=$cat_directory.'/pwg_high/'.$row['file']; - $picture[$i]['high_url'] = $picture[$i]['high_path'] = $url_high; - if ( ! url_is_remote($picture[$i]['high_path']) ) + $hi_url=get_high_url($picture[$i]); + if ( !empty($hi_url) ) { - $picture[$i]['high_url'] = get_root_url().$picture[$i]['high_path']; + $picture[$i]['high_url'] = $hi_url; + $picture[$i]['download_url'] = get_download_url('h',$picture[$i]); } } } - } - else - {// not a picture - if (isset($row['representative_ext']) and $row['representative_ext']!='') - { - $picture[$i]['image_path'] = - $cat_directory.'/pwg_representative/' - .$file_wo_ext.'.'.$row['representative_ext']; - } else - { - $picture[$i]['image_path'] = - get_themeconf('mime_icon_dir') - .strtolower(get_extension($row['file'])).'.png'; - } - } - - $picture[$i]['image_url'] = $picture[$i]['image_path']; - if ( ! url_is_remote($picture[$i]['image_path']) ) - { - $picture[$i]['image_url'] = get_root_url().$picture[$i]['image_path']; - } - - if (!$picture[$i]['is_picture']) - {// if picture is not a file, we need the download link - $picture[$i]['download_url'] = $picture[$i]['element_url']; - } - else - {// if picture is a file with high, we put the download link - if ( isset($picture[$i]['high_path']) ) - { - $picture[$i]['download_url'] = get_root_url().'action.php?dwn=' - .$picture[$i]['high_path']; + { // not a pic - need download link + $picture[$i]['download_url'] = get_download_url('e',$picture[$i]); } } @@ -382,6 +350,7 @@ while ($row = mysql_fetch_assoc($result)) } else { + $file_wo_ext = get_filename_wo_extension($row['file']); $picture[$i]['name'] = str_replace('_', ' ', $file_wo_ext); } @@ -427,10 +396,6 @@ if (!empty($picture['current']['width'])) ); } -// now give an opportunity to the filters to alter element_url, -// image_url, high_url and download_url -$picture = trigger_event('picture_navigation', $picture); - $url_admin = get_root_url().'admin.php?page=picture_modify' .'&cat_id='.(isset($page['category']) ? $page['category'] : '') |