dolibarr  9.0.0
viewimage.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2004-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
3  * Copyright (C) 2005-2016 Laurent Destailleur <eldy@users.sourceforge.net>
4  * Copyright (C) 2005-2016 Regis Houssin <regis.houssin@inodbox.com>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program. If not, see <http://www.gnu.org/licenses/>.
18  * or see http://www.gnu.org/
19  */
20 
29 //if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Not disabled cause need to load personalized language
30 //if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Not disabled cause need to load personalized language
31 if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
32 if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
33 if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1');
34 if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1');
35 if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1');
36 if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1');
37 if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
38 
39 // Some value of modulepart can be used to get resources that are public so no login are required.
40 // Note that only directory logo is free to access without login.
41 if (isset($_GET["modulepart"]) && $_GET["modulepart"] == 'mycompany' && preg_match('/^\/?logos\//', $_GET['file']))
42 {
43  if (! defined("NOLOGIN")) define("NOLOGIN",1);
44  if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
45  if (! defined("NOIPCHECK")) define("NOIPCHECK",1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
46 }
47 // For direct external download link, we don't need to load/check we are into a login session
48 if (isset($_GET["hashp"]) && ! defined("NOLOGIN"))
49 {
50  if (! defined("NOLOGIN")) define("NOLOGIN",1);
51  if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
52  if (! defined("NOIPCHECK")) define("NOIPCHECK",1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
53 }
54 // Some value of modulepart can be used to get resources that are public so no login are required.
55 if ((isset($_GET["modulepart"]) && $_GET["modulepart"] == 'medias'))
56 {
57  if (! defined("NOLOGIN")) define("NOLOGIN",1);
58  if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
59  if (! defined("NOIPCHECK")) define("NOIPCHECK",1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
60 }
61 
62 // For multicompany
63 $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1));
64 if (is_numeric($entity)) define("DOLENTITY", $entity);
65 
71 function llxHeader()
72 {
73 }
79 function llxFooter()
80 {
81 }
82 
83 require 'main.inc.php'; // Load $user and permissions
84 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
85 
86 $action=GETPOST('action','alpha');
87 $original_file=GETPOST('file','alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP).
88 $hashp=GETPOST('hashp','aZ09');
89 $modulepart=GETPOST('modulepart','alpha');
90 $urlsource=GETPOST('urlsource','alpha');
91 $entity=GETPOST('entity','int')?GETPOST('entity','int'):$conf->entity;
92 
93 // Security check
94 if (empty($modulepart) && empty($hashp)) accessforbidden('Bad link. Bad value for parameter modulepart',0,0,1);
95 if (empty($original_file) && empty($hashp) && $modulepart != 'barcode') accessforbidden('Bad link. Missing identification to find file (original_file or hashp)',0,0,1);
96 if ($modulepart == 'fckeditor') $modulepart='medias'; // For backward compatibility
97 
98 
99 
100 /*
101  * Actions
102  */
103 
104 // None
105 
106 
107 
108 /*
109  * View
110  */
111 
112 if (GETPOST("cache",'alpha'))
113 {
114  // Important: Following code is to avoid page request by browser and PHP CPU at
115  // each Dolibarr page access.
116  if (empty($dolibarr_nocache))
117  {
118  header('Cache-Control: max-age=3600, public, must-revalidate');
119  header('Pragma: cache'); // This is to avoid having Pragma: no-cache
120  }
121  else header('Cache-Control: no-cache');
122  //print $dolibarr_nocache; exit;
123 }
124 
125 // If we have a hash public (hashp), we guess the original_file.
126 if (! empty($hashp))
127 {
128  include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php';
129  $ecmfile=new EcmFiles($db);
130  $result = $ecmfile->fetch(0, '', '', '', $hashp);
131  if ($result > 0)
132  {
133  $tmp = explode('/', $ecmfile->filepath, 2); // $ecmfile->filepath is relative to document directory
134  // filepath can be 'users/X' or 'X/propale/PR11111'
135  if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
136  {
137  $tmp = explode('/', $tmp[1], 2);
138  }
139  $moduleparttocheck = $tmp[0]; // moduleparttocheck is first part of path
140 
141  if ($modulepart) // Not required, so often not defined, for link using public hashp parameter.
142  {
143  if ($moduleparttocheck == $modulepart)
144  {
145  // We remove first level of directory
146  $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename); // this is relative to module dir
147  //var_dump($original_file); exit;
148  }
149  else
150  {
151  accessforbidden('Bad link. File is from another module part.',0,0,1);
152  }
153  }
154  else
155  {
156  $modulepart = $moduleparttocheck;
157  $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename); // this is relative to module dir
158  }
159  }
160  else
161  {
162  $langs->load("errors");
163  accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"),0,0,1);
164  }
165 }
166 
167 // Define mime type
168 $type = 'application/octet-stream';
169 if (GETPOST('type','alpha')) $type=GETPOST('type','alpha');
170 else $type=dol_mimetype($original_file);
171 
172 // Security: Delete string ../ into $original_file
173 $original_file = str_replace("../","/", $original_file);
174 
175 // Find the subdirectory name as the reference
176 $refname=basename(dirname($original_file)."/");
177 
178 // Security check
179 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
180 
181 $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname);
182 $accessallowed = $check_access['accessallowed'];
183 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
184 $fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name
185 
186 if (! empty($hashp))
187 {
188  $accessallowed = 1; // When using hashp, link is public so we force $accessallowed
189  $sqlprotectagainstexternals = '';
190 }
191 else
192 {
193  // Basic protection (against external users only)
194  if ($user->societe_id > 0)
195  {
196  if ($sqlprotectagainstexternals)
197  {
198  $resql = $db->query($sqlprotectagainstexternals);
199  if ($resql)
200  {
201  $num=$db->num_rows($resql);
202  $i=0;
203  while ($i < $num)
204  {
205  $obj = $db->fetch_object($resql);
206  if ($user->societe_id != $obj->fk_soc)
207  {
208  $accessallowed=0;
209  break;
210  }
211  $i++;
212  }
213  }
214  }
215  }
216 }
217 
218 // Security:
219 // Limit access if permissions are wrong
220 if (! $accessallowed)
221 {
222  accessforbidden();
223 }
224 
225 // Security:
226 // On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
227 if (preg_match('/\.\./',$fullpath_original_file) || preg_match('/[<>|]/',$fullpath_original_file))
228 {
229  dol_syslog("Refused to deliver file ".$fullpath_original_file);
230  print "ErrorFileNameInvalid: ".$original_file;
231  exit;
232 }
233 
234 
235 
236 if ($modulepart == 'barcode')
237 {
238  $generator=GETPOST("generator","alpha");
239  $code=GETPOST("code",'none'); // This can be rich content (qrcode, datamatrix, ...)
240  $encoding=GETPOST("encoding","alpha");
241  $readable=GETPOST("readable",'alpha')?GETPOST("readable","alpha"):"Y";
242 
243  if (empty($generator) || empty($encoding))
244  {
245  print 'Error: Parameter "generator" or "encoding" not defined';
246  exit;
247  }
248 
249  $dirbarcode=array_merge(array("/core/modules/barcode/doc/"),$conf->modules_parts['barcode']);
250 
251  $result=0;
252 
253  foreach($dirbarcode as $reldir)
254  {
255  $dir=dol_buildpath($reldir,0);
256  $newdir=dol_osencode($dir);
257 
258  // Check if directory exists (we do not use dol_is_dir to avoid loading files.lib.php)
259  if (! is_dir($newdir)) continue;
260 
261  $result=@include_once $newdir.$generator.'.modules.php';
262  if ($result) break;
263  }
264 
265  // Load barcode class
266  $classname = "mod".ucfirst($generator);
267  $module = new $classname($db);
268  if ($module->encodingIsSupported($encoding))
269  {
270  $result=$module->buildBarCode($code,$encoding,$readable);
271  }
272 }
273 else // Open and return file
274 {
275  clearstatcache();
276 
277  $filename = basename($fullpath_original_file);
278 
279  // Output files on browser
280  dol_syslog("viewimage.php return file $fullpath_original_file filename=$filename content-type=$type");
281 
282  // This test is to avoid error images when image is not available (for example thumbs).
283  if (! dol_is_file($fullpath_original_file) && empty($_GET["noalt"]))
284  {
285  $fullpath_original_file=DOL_DOCUMENT_ROOT.'/public/theme/common/nophoto.png';
286  /*$error='Error: File '.$_GET["file"].' does not exists or filesystems permissions are not allowed';
287  print $error;
288  exit;*/
289  }
290 
291  // Permissions are ok and file found, so we return it
292  if ($type)
293  {
294  top_httphead($type);
295  header('Content-Disposition: inline; filename="'.basename($fullpath_original_file).'"');
296  }
297  else
298  {
299  top_httphead('image/png');
300  header('Content-Disposition: inline; filename="'.basename($fullpath_original_file).'"');
301  }
302 
303  $fullpath_original_file_osencoded=dol_osencode($fullpath_original_file);
304 
305  readfile($fullpath_original_file_osencoded);
306 }
307 
308 
309 if (is_object($db)) $db->close();
dol_osencode($str)
Return a string encoded into OS filesystem encoding.
GETPOST($paramname, $check='none', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
print
Draft customers invoices.
Definition: index.php:91
if(! empty($conf->facture->enabled) && $user->rights->facture->lire) if(! empty($conf->fournisseur->enabled) && $user->rights->fournisseur->facture->lire) if(! empty($conf->don->enabled) && $user->rights->societe->lire) if(! empty($conf->tax->enabled) && $user->rights->tax->charges->lire) if(! empty($conf->facture->enabled) &&! empty($conf->commande->enabled) && $user->rights->commande->lire &&empty($conf->global->WORKFLOW_DISABLE_CREATE_INVOICE_FROM_ORDER)) if(! empty($conf->facture->enabled) && $user->rights->facture->lire) if(! empty($conf->fournisseur->enabled) && $user->rights->fournisseur->facture->lire) $resql
Social contributions to pay.
Definition: index.php:1053
if(! defined('NOREQUIREMENU')) if(! function_exists("llxHeader")) top_httphead($contenttype='text/html', $forcenocache=0)
Show HTTP header.
Definition: main.inc.php:1107
dol_mimetype($file, $default='application/octet-stream', $mode=0)
Return mime type of a file.
dol_check_secure_access_document($modulepart, $original_file, $entity, $fuser='', $refname='', $mode='read')
Security check when accessing to a document (used by document.php, viewimage.php and webservices) ...
Definition: files.lib.php:2109
dol_buildpath($path, $type=0, $returnemptyifnotfound=0)
Return path of url or filesystem.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0)
Show a message to say access is forbidden and stop program Calling this function terminate execution ...
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='')
Write log message into outputs.
dol_is_file($pathoffile)
Return if path is a file.
Definition: files.lib.php:451
llxFooter()
Footer empty.
Definition: viewimage.php:79
llxHeader()
Header empty.
Definition: viewimage.php:71
Class to manage ECM files.