viewimage.php 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309
  1. <?php
  2. /* Copyright (C) 2004-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  3. * Copyright (C) 2005-2016 Laurent Destailleur <eldy@users.sourceforge.net>
  4. * Copyright (C) 2005-2016 Regis Houssin <regis.houssin@inodbox.com>
  5. *
  6. * This program is free software; you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License as published by
  8. * the Free Software Foundation; either version 3 of the License, or
  9. * (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  18. * or see http://www.gnu.org/
  19. */
  20. /**
  21. * \file htdocs/viewimage.php
  22. * \brief Wrapper to show images into Dolibarr screens.
  23. * \remarks Call to wrapper is :
  24. * DOL_URL_ROOT.'/viewimage.php?modulepart=diroffile&file=relativepathofofile&cache=0
  25. * DOL_URL_ROOT.'/viewimage.php?hashp=sharekey
  26. */
  27. //if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Not disabled cause need to load personalized language
  28. //if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Not disabled cause need to load personalized language
  29. if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
  30. if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
  31. if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1');
  32. if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1');
  33. if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1');
  34. if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1');
  35. if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
  36. // Some value of modulepart can be used to get resources that are public so no login are required.
  37. // Note that only directory logo is free to access without login.
  38. if (isset($_GET["modulepart"]) && $_GET["modulepart"] == 'mycompany' && preg_match('/^\/?logos\//', $_GET['file']))
  39. {
  40. if (! defined("NOLOGIN")) define("NOLOGIN",1);
  41. if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
  42. if (! defined("NOIPCHECK")) define("NOIPCHECK",1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
  43. }
  44. // For direct external download link, we don't need to load/check we are into a login session
  45. if (isset($_GET["hashp"]) && ! defined("NOLOGIN"))
  46. {
  47. if (! defined("NOLOGIN")) define("NOLOGIN",1);
  48. if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
  49. if (! defined("NOIPCHECK")) define("NOIPCHECK",1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
  50. }
  51. // Some value of modulepart can be used to get resources that are public so no login are required.
  52. if ((isset($_GET["modulepart"]) && $_GET["modulepart"] == 'medias'))
  53. {
  54. if (! defined("NOLOGIN")) define("NOLOGIN",1);
  55. if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
  56. if (! defined("NOIPCHECK")) define("NOIPCHECK",1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
  57. }
  58. // For multicompany
  59. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1));
  60. if (is_numeric($entity)) define("DOLENTITY", $entity);
  61. /**
  62. * Header empty
  63. *
  64. * @return void
  65. */
  66. function llxHeader()
  67. {
  68. }
  69. /**
  70. * Footer empty
  71. *
  72. * @return void
  73. */
  74. function llxFooter()
  75. {
  76. }
  77. require 'main.inc.php'; // Load $user and permissions
  78. require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
  79. $action=GETPOST('action','alpha');
  80. $original_file=GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP).
  81. $hashp=GETPOST('hashp','aZ09');
  82. $modulepart=GETPOST('modulepart','alpha');
  83. $urlsource=GETPOST('urlsource','alpha');
  84. $entity=GETPOST('entity','int')?GETPOST('entity','int'):$conf->entity;
  85. // Security check
  86. if (empty($modulepart) && empty($hashp)) accessforbidden('Bad link. Bad value for parameter modulepart',0,0,1);
  87. if (empty($original_file) && empty($hashp) && $modulepart != 'barcode') accessforbidden('Bad link. Missing identification to find file (original_file or hashp)',0,0,1);
  88. if ($modulepart == 'fckeditor') $modulepart='medias'; // For backward compatibility
  89. /*
  90. * Actions
  91. */
  92. // None
  93. /*
  94. * View
  95. */
  96. if (GETPOST("cache",'alpha'))
  97. {
  98. // Important: Following code is to avoid page request by browser and PHP CPU at
  99. // each Dolibarr page access.
  100. if (empty($dolibarr_nocache))
  101. {
  102. header('Cache-Control: max-age=3600, public, must-revalidate');
  103. header('Pragma: cache'); // This is to avoid having Pragma: no-cache
  104. }
  105. else header('Cache-Control: no-cache');
  106. //print $dolibarr_nocache; exit;
  107. }
  108. // If we have a hash public (hashp), we guess the original_file.
  109. if (! empty($hashp))
  110. {
  111. include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php';
  112. $ecmfile=new EcmFiles($db);
  113. $result = $ecmfile->fetch(0, '', '', '', $hashp);
  114. if ($result > 0)
  115. {
  116. $tmp = explode('/', $ecmfile->filepath, 2); // $ecmfile->filepath is relative to document directory
  117. // filepath can be 'users/X' or 'X/propale/PR11111'
  118. if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
  119. {
  120. $tmp = explode('/', $tmp[1], 2);
  121. }
  122. $moduleparttocheck = $tmp[0]; // moduleparttocheck is first part of path
  123. if ($modulepart) // Not required, so often not defined, for link using public hashp parameter.
  124. {
  125. if ($moduleparttocheck == $modulepart)
  126. {
  127. // We remove first level of directory
  128. $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename); // this is relative to module dir
  129. //var_dump($original_file); exit;
  130. }
  131. else
  132. {
  133. accessforbidden('Bad link. File is from another module part.',0,0,1);
  134. }
  135. }
  136. else
  137. {
  138. $modulepart = $moduleparttocheck;
  139. $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename); // this is relative to module dir
  140. }
  141. }
  142. else
  143. {
  144. $langs->load("errors");
  145. accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"),0,0,1);
  146. }
  147. }
  148. // Define mime type
  149. $type = 'application/octet-stream';
  150. if (GETPOST('type','alpha')) $type=GETPOST('type','alpha');
  151. else $type=dol_mimetype($original_file);
  152. // Security: Delete string ../ into $original_file
  153. $original_file = str_replace("../","/", $original_file);
  154. // Find the subdirectory name as the reference
  155. $refname=basename(dirname($original_file)."/");
  156. // Security check
  157. if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
  158. $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname);
  159. $accessallowed = $check_access['accessallowed'];
  160. $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
  161. $fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name
  162. if (! empty($hashp))
  163. {
  164. $accessallowed = 1; // When using hashp, link is public so we force $accessallowed
  165. $sqlprotectagainstexternals = '';
  166. }
  167. else
  168. {
  169. // Basic protection (against external users only)
  170. if ($user->societe_id > 0)
  171. {
  172. if ($sqlprotectagainstexternals)
  173. {
  174. $resql = $db->query($sqlprotectagainstexternals);
  175. if ($resql)
  176. {
  177. $num=$db->num_rows($resql);
  178. $i=0;
  179. while ($i < $num)
  180. {
  181. $obj = $db->fetch_object($resql);
  182. if ($user->societe_id != $obj->fk_soc)
  183. {
  184. $accessallowed=0;
  185. break;
  186. }
  187. $i++;
  188. }
  189. }
  190. }
  191. }
  192. }
  193. // Security:
  194. // Limit access if permissions are wrong
  195. if (! $accessallowed)
  196. {
  197. accessforbidden();
  198. }
  199. // Security:
  200. // On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
  201. if (preg_match('/\.\./',$fullpath_original_file) || preg_match('/[<>|]/',$fullpath_original_file))
  202. {
  203. dol_syslog("Refused to deliver file ".$fullpath_original_file);
  204. print "ErrorFileNameInvalid: ".$original_file;
  205. exit;
  206. }
  207. if ($modulepart == 'barcode')
  208. {
  209. $generator=GETPOST("generator","alpha");
  210. $code=GETPOST("code",'none'); // This can be rich content (qrcode, datamatrix, ...)
  211. $encoding=GETPOST("encoding","alpha");
  212. $readable=GETPOST("readable",'alpha')?GETPOST("readable","alpha"):"Y";
  213. if (empty($generator) || empty($encoding))
  214. {
  215. print 'Error: Parameter "generator" or "encoding" not defined';
  216. exit;
  217. }
  218. $dirbarcode=array_merge(array("/core/modules/barcode/doc/"),$conf->modules_parts['barcode']);
  219. $result=0;
  220. foreach($dirbarcode as $reldir)
  221. {
  222. $dir=dol_buildpath($reldir,0);
  223. $newdir=dol_osencode($dir);
  224. // Check if directory exists (we do not use dol_is_dir to avoid loading files.lib.php)
  225. if (! is_dir($newdir)) continue;
  226. $result=@include_once $newdir.$generator.'.modules.php';
  227. if ($result) break;
  228. }
  229. // Load barcode class
  230. $classname = "mod".ucfirst($generator);
  231. $module = new $classname($db);
  232. if ($module->encodingIsSupported($encoding))
  233. {
  234. $result=$module->buildBarCode($code,$encoding,$readable);
  235. }
  236. }
  237. else // Open and return file
  238. {
  239. clearstatcache();
  240. $filename = basename($fullpath_original_file);
  241. // Output files on browser
  242. dol_syslog("viewimage.php return file $fullpath_original_file filename=$filename content-type=$type");
  243. // This test is to avoid error images when image is not available (for example thumbs).
  244. if (! dol_is_file($fullpath_original_file) && empty($_GET["noalt"]))
  245. {
  246. $fullpath_original_file=DOL_DOCUMENT_ROOT.'/public/theme/common/nophoto.png';
  247. /*$error='Error: File '.$_GET["file"].' does not exists or filesystems permissions are not allowed';
  248. print $error;
  249. exit;*/
  250. }
  251. // Permissions are ok and file found, so we return it
  252. if ($type)
  253. {
  254. top_httphead($type);
  255. header('Content-Disposition: inline; filename="'.basename($fullpath_original_file).'"');
  256. }
  257. else
  258. {
  259. top_httphead('image/png');
  260. header('Content-Disposition: inline; filename="'.basename($fullpath_original_file).'"');
  261. }
  262. $fullpath_original_file_osencoded=dol_osencode($fullpath_original_file);
  263. readfile($fullpath_original_file_osencoded);
  264. }
  265. if (is_object($db)) $db->close();