34 define(
'MAIN_SECURITY_FORCECSP',
"default-src: 'none'");
38 if (!defined(
'NOTOKENRENEWAL')) {
39 define(
'NOTOKENRENEWAL',
'1');
41 if (!defined(
'NOREQUIREMENU')) {
42 define(
'NOREQUIREMENU',
'1');
44 if (!defined(
'NOREQUIREHTML')) {
45 define(
'NOREQUIREHTML',
'1');
47 if (!defined(
'NOREQUIREAJAX')) {
48 define(
'NOREQUIREAJAX',
'1');
52 if (isset($_GET[
"hashp"]) && !defined(
"NOLOGIN")) {
53 if (!defined(
"NOLOGIN")) {
56 if (!defined(
"NOCSRFCHECK")) {
57 define(
"NOCSRFCHECK", 1);
59 if (!defined(
"NOIPCHECK")) {
60 define(
"NOIPCHECK", 1);
64 if ((isset($_GET[
"modulepart"]) && $_GET[
"modulepart"] ==
'medias')) {
65 if (!defined(
"NOLOGIN")) {
68 if (!defined(
"NOCSRFCHECK")) {
69 define(
"NOCSRFCHECK", 1);
71 if (!defined(
"NOIPCHECK")) {
72 define(
"NOIPCHECK", 1);
95 require
'main.inc.php';
96 require_once DOL_DOCUMENT_ROOT.
'/core/lib/files.lib.php';
97 require_once DOL_DOCUMENT_ROOT.
'/core/lib/images.lib.php';
100 $action =
GETPOST(
'action',
'aZ09');
101 $original_file =
GETPOST(
'file',
'alphanohtml');
102 $hashp =
GETPOST(
'hashp',
'aZ09');
103 $modulepart =
GETPOST(
'modulepart',
'alpha');
104 $urlsource =
GETPOST(
'urlsource',
'alpha');
105 $entity =
GETPOST(
'entity',
'int') ?
GETPOST(
'entity',
'int') : $conf->entity;
108 if (empty($modulepart) && empty($hashp)) {
111 if (empty($original_file) && empty($hashp)) {
114 if ($modulepart ==
'fckeditor') {
115 $modulepart =
'medias';
119 if ($user->socid > 0) {
120 $socid = $user->socid;
124 if (in_array($modulepart, array(
'facture_paiement',
'unpaid'))) {
125 if (!$user->hasRight(
'societe',
'client',
'voir') || $socid) {
126 $original_file =
'private/'.$user->id.
'/'.$original_file;
145 if (!empty($hashp)) {
146 include_once DOL_DOCUMENT_ROOT.
'/ecm/class/ecmfiles.class.php';
148 $result = $ecmfile->fetch(0,
'',
'',
'', $hashp);
150 $tmp = explode(
'/', $ecmfile->filepath, 2);
152 if (is_numeric($tmp[0])) {
153 $tmp = explode(
'/', $tmp[1], 2);
155 $moduleparttocheck = $tmp[0];
158 if ($moduleparttocheck == $modulepart) {
160 $original_file = (($tmp[1] ? $tmp[1].
'/' :
'').$ecmfile->filename);
166 $modulepart = $moduleparttocheck;
167 $original_file = (($tmp[1] ? $tmp[1].
'/' :
'').$ecmfile->filename);
169 $entity = $ecmfile->entity;
170 if ($entity != $conf->entity) {
171 $conf->entity = $entity;
172 $conf->setValues($db);
175 $langs->load(
"errors");
182 if (preg_match(
'/\.(html|htm)$/i', $original_file)) {
185 if (isset($_GET[
"attachment"])) {
186 $attachment =
GETPOST(
"attachment",
'alpha') ?
true:
false;
188 if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) {
193 $type =
'application/octet-stream';
194 if (
GETPOST(
'type',
'alpha')) {
195 $type =
GETPOST(
'type',
'alpha');
203 $type =
'application/octet-stream';
207 $original_file = preg_replace(
'/\.\.+/',
'..', $original_file);
208 $original_file = str_replace(
'../',
'/', $original_file);
209 $original_file = str_replace(
'..\\',
'/', $original_file);
213 $refname = basename(dirname($original_file).
"/");
216 if (empty($modulepart)) {
222 $accessallowed = $check_access[
'accessallowed'];
223 $sqlprotectagainstexternals = $check_access[
'sqlprotectagainstexternals'];
224 $fullpath_original_file = $check_access[
'original_file'];
227 if (!empty($hashp)) {
229 $sqlprotectagainstexternals =
'';
232 if ($user->socid > 0) {
233 if ($sqlprotectagainstexternals) {
234 $resql = $db->query($sqlprotectagainstexternals);
236 $num = $db->num_rows($resql);
239 $obj = $db->fetch_object($resql);
240 if ($user->socid != $obj->fk_soc) {
253 if (!$accessallowed) {
259 if (preg_match(
'/\.\./', $fullpath_original_file) || preg_match(
'/[<>|]/', $fullpath_original_file)) {
260 dol_syslog(
"Refused to deliver file ".$fullpath_original_file);
261 print
"ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
268 $filename = basename($fullpath_original_file);
269 $filename = preg_replace(
'/\.noexe$/i',
'', $filename);
272 dol_syslog(
"document.php download $fullpath_original_file filename=$filename content-type=$type");
273 $fullpath_original_file_osencoded =
dol_osencode($fullpath_original_file);
276 if (!file_exists($fullpath_original_file_osencoded)) {
277 dol_syslog(
"ErrorFileDoesNotExists: ".$fullpath_original_file);
278 print
"ErrorFileDoesNotExists: ".$original_file;
283 $hookmanager->initHooks(array(
'document'));
284 $parameters = array(
'ecmfile' => $ecmfile,
'modulepart' => $modulepart,
'original_file' => $original_file,
285 'entity' => $entity,
'refname' => $refname,
'fullpath_original_file' => $fullpath_original_file,
286 'filename' => $filename,
'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded);
287 $object =
new stdClass();
288 $reshook = $hookmanager->executeHooks(
'downloadDocument', $parameters, $object, $action);
290 $errors = $hookmanager->error.(is_array($hookmanager->errors) ? (!empty($hookmanager->error) ?
', ' :
'').join(
', ', $hookmanager->errors) :
'');
291 dol_syslog(
"document.php - Errors when executing the hook 'downloadDocument' : ".$errors);
292 print
"ErrorDownloadDocumentHooks: ".$errors;
298 header(
'Content-Description: File Transfer');
300 header(
'Content-Encoding: '.$encoding);
304 header(
'Content-Disposition: attachment; filename="'.$filename.
'"');
306 header(
'Content-Disposition: inline; filename="'.$filename.
'"');
309 header(
'Cache-Control: Public, must-revalidate');
310 header(
'Pragma: public');
314 if (!$attachment && !empty($conf->global->MAIN_USE_EXIF_ROTATION) &&
image_format_supported($fullpath_original_file_osencoded) == 1) {
316 $readfile = !$imgres;
319 if (is_object($db)) {
325 header(
'Content-Length: '.
dol_filesize($fullpath_original_file));