34 define(
'MAIN_SECURITY_FORCECSP',
"default-src: 'none'");
38 if (!defined(
'NOTOKENRENEWAL')) {
39 define(
'NOTOKENRENEWAL',
'1');
41 if (!defined(
'NOREQUIREMENU')) {
42 define(
'NOREQUIREMENU',
'1');
44 if (!defined(
'NOREQUIREHTML')) {
45 define(
'NOREQUIREHTML',
'1');
47 if (!defined(
'NOREQUIREAJAX')) {
48 define(
'NOREQUIREAJAX',
'1');
52 if (isset($_GET[
"hashp"]) && !defined(
"NOLOGIN")) {
53 if (!defined(
"NOLOGIN")) {
56 if (!defined(
"NOCSRFCHECK")) {
57 define(
"NOCSRFCHECK", 1);
59 if (!defined(
"NOIPCHECK")) {
60 define(
"NOIPCHECK", 1);
64 if ((isset($_GET[
"modulepart"]) && $_GET[
"modulepart"] ==
'medias')) {
65 if (!defined(
"NOLOGIN")) {
68 if (!defined(
"NOCSRFCHECK")) {
69 define(
"NOCSRFCHECK", 1);
71 if (!defined(
"NOIPCHECK")) {
72 define(
"NOIPCHECK", 1);
95 require
'main.inc.php';
96 require_once DOL_DOCUMENT_ROOT.
'/core/lib/files.lib.php';
97 require_once DOL_DOCUMENT_ROOT.
'/core/lib/images.lib.php';
100 $action =
GETPOST(
'action',
'aZ09');
101 $original_file =
GETPOST(
'file',
'alphanohtml');
102 $hashp =
GETPOST(
'hashp',
'aZ09');
103 $modulepart =
GETPOST(
'modulepart',
'alpha');
104 $urlsource =
GETPOST(
'urlsource',
'alpha');
105 $entity =
GETPOST(
'entity',
'int') ?
GETPOST(
'entity',
'int') : $conf->entity;
108 if (empty($modulepart) && empty($hashp)) {
111 if (empty($original_file) && empty($hashp)) {
114 if ($modulepart ==
'fckeditor') {
115 $modulepart =
'medias';
119 if ($user->socid > 0) {
120 $socid = $user->socid;
124 if (in_array($modulepart, array(
'facture_paiement',
'unpaid'))) {
125 if (!$user->hasRight(
'societe',
'client',
'voir') || $socid) {
126 $original_file =
'private/'.$user->id.
'/'.$original_file;
145 if (!empty($hashp)) {
146 include_once DOL_DOCUMENT_ROOT.
'/ecm/class/ecmfiles.class.php';
148 $result = $ecmfile->fetch(0,
'',
'',
'', $hashp);
150 $tmp = explode(
'/', $ecmfile->filepath, 2);
152 if (is_numeric($tmp[0])) {
153 $tmp = explode(
'/', $tmp[1], 2);
155 $moduleparttocheck = $tmp[0];
158 if ($moduleparttocheck == $modulepart) {
160 $original_file = (($tmp[1] ? $tmp[1].
'/' :
'').$ecmfile->filename);
166 $modulepart = $moduleparttocheck;
167 $original_file = (($tmp[1] ? $tmp[1].
'/' :
'').$ecmfile->filename);
169 $entity = $ecmfile->entity;
170 if ($entity != $conf->entity) {
171 $conf->entity = $entity;
172 $conf->setValues($db);
175 $langs->load(
"errors");
182 if (preg_match(
'/\.(html|htm)$/i', $original_file)) {
185 if (isset($_GET[
"attachment"])) {
186 $attachment =
GETPOST(
"attachment",
'alpha') ?
true:
false;
188 if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) {
193 $type =
'application/octet-stream';
194 if (
GETPOST(
'type',
'alpha')) {
195 $type =
GETPOST(
'type',
'alpha');
203 $type =
'application/octet-stream';
207 $original_file = preg_replace(
'/\.\.+/',
'..', $original_file);
208 $original_file = str_replace(
'../',
'/', $original_file);
209 $original_file = str_replace(
'..\\',
'/', $original_file);
213 if (empty($modulepart)) {
219 $accessallowed = $check_access[
'accessallowed'];
220 $sqlprotectagainstexternals = $check_access[
'sqlprotectagainstexternals'];
221 $fullpath_original_file = $check_access[
'original_file'];
224 if (!empty($hashp)) {
226 $sqlprotectagainstexternals =
'';
229 if ($user->socid > 0) {
230 if ($sqlprotectagainstexternals) {
231 $resql = $db->query($sqlprotectagainstexternals);
233 $num = $db->num_rows($resql);
236 $obj = $db->fetch_object($resql);
237 if ($user->socid != $obj->fk_soc) {
250 if (!$accessallowed) {
256 if (preg_match(
'/\.\./', $fullpath_original_file) || preg_match(
'/[<>|]/', $fullpath_original_file)) {
257 dol_syslog(
"Refused to deliver file ".$fullpath_original_file);
258 print
"ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
265 $filename = basename($fullpath_original_file);
266 $filename = preg_replace(
'/\.noexe$/i',
'', $filename);
269 dol_syslog(
"document.php download $fullpath_original_file filename=$filename content-type=$type");
270 $fullpath_original_file_osencoded =
dol_osencode($fullpath_original_file);
273 if (!file_exists($fullpath_original_file_osencoded)) {
274 dol_syslog(
"ErrorFileDoesNotExists: ".$fullpath_original_file);
275 print
"ErrorFileDoesNotExists: ".$original_file;
280 $hookmanager->initHooks(array(
'document'));
281 $parameters = array(
'ecmfile' => $ecmfile,
'modulepart' => $modulepart,
'original_file' => $original_file,
282 'entity' => $entity,
'fullpath_original_file' => $fullpath_original_file,
283 'filename' => $filename,
'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded);
284 $object =
new stdClass();
285 $reshook = $hookmanager->executeHooks(
'downloadDocument', $parameters, $object, $action);
287 $errors = $hookmanager->error.(is_array($hookmanager->errors) ? (!empty($hookmanager->error) ?
', ' :
'').join(
', ', $hookmanager->errors) :
'');
288 dol_syslog(
"document.php - Errors when executing the hook 'downloadDocument' : ".$errors);
289 print
"ErrorDownloadDocumentHooks: ".$errors;
296 header(
'Content-Description: File Transfer');
298 header(
'Content-Encoding: '.$encoding);
303 header(
'Content-Disposition: attachment; filename="'.$filename.
'"');
305 header(
'Content-Disposition: inline; filename="'.$filename.
'"');
308 header(
'Cache-Control: Public, must-revalidate');
309 header(
'Pragma: public');
313 if (!$attachment && !empty($conf->global->MAIN_USE_EXIF_ROTATION) &&
image_format_supported($fullpath_original_file_osencoded) == 1) {
315 $readfile = !$imgres;
318 if (is_object($db)) {
324 header(
'Content-Length: '.
dol_filesize($fullpath_original_file));
Class to manage ECM files.
if(!defined('NOTOKENRENEWAL')) if(!defined('NOREQUIREMENU')) if(!defined('NOREQUIREHTML')) if(!defined('NOREQUIREAJAX')) if(isset($_GET["hashp"]) &&!defined("NOLOGIN")) if((isset($_GET["modulepart"]) && $_GET["modulepart"]=='medias')) llxHeader()
Header empty.
dol_filesize($pathoffile)
Return size of a file.
dol_check_secure_access_document($modulepart, $original_file, $entity, $fuser='', $refname='', $mode='read')
Security check when accessing to a document (used by document.php, viewimage.php and webservices to g...
dol_mimetype($file, $default='application/octet-stream', $mode=0)
Return MIME type of a file from its name with extension.
dol_osencode($str)
Return a string encoded into OS filesystem encoding.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
readfileLowMemory($fullpath_original_file_osencoded, $method=-1)
Return a file on output using a low memory.
dolIsAllowedForPreview($file)
Return if a file is qualified for preview.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
correctExifImageOrientation($fileSource, $fileDest, $quality=95)
Add exif orientation correction for image.
image_format_supported($file, $acceptsvg=0)
Return if a filename is file name of a supported image format.
if(!defined('NOREQUIREMENU')) if(!empty(GETPOST('seteventmessages', 'alpha'))) if(!function_exists("llxHeader")) top_httphead($contenttype='text/html', $forcenocache=0)
Show HTTP header.
httponly_accessforbidden($message=1, $http_response_code=403, $stringalreadysanitized=0)
Show a message to say access is forbidden and stop program.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.