diff --git a/api/anon_images.php b/api/anon_images.php index c43f409c99..c10a598f01 100644 --- a/api/anon_images.php +++ b/api/anon_images.php @@ -15,30 +15,38 @@ use EGroupware\Api; $GLOBALS['egw_info'] = array('flags' => array( 'disable_Template_class' => True, - 'login' => True, - 'currentapp' => 'login', + 'noheader' => True, + // misuse session creation callback to send the image, in case we have no session + 'autocreate_session_callback' => 'send_image', + 'currentapp' => 'api', )); require('../header.inc.php'); -$path = $GLOBALS['egw_info']['server']['files_dir'].'/anon-images'; +send_image(); -if (!file_exists($path) || empty($_GET['src']) || - basename($_GET['src']) !== $_GET['src'] || // make sure no directory traversal - !preg_match('/^[a-z 0-9._-]+\.(jpe?g|png|gif|svg|ico)$/i', $_GET['src']) || // only allow images, not eg. Javascript! - !file_exists($path .= '/'.$_GET['src']) || - !($fp = fopen($path, 'r'))) +function send_image() { - error_log(__FILE__.": _GET[src]='$_GET[src]', path=$path returning HTTP status 404 Not Found"); - http_response_code(404); -} -else -{ - Api\Session::cache_control(864000); // 10 days - $size = filesize($path); - header('ETag: "'.md5($_GET['src'].$size.filemtime($path)).'"'); - header('Content-Type: '.Api\MimeMagic::filename2mime($_GET['src'])); - header('Content-Length: '.$size); - fpassthru($fp); - fclose($fp); + $path = $GLOBALS['egw_info']['server']['files_dir'] . '/anon-images'; + + if (!file_exists($path) || empty($_GET['src']) || + basename($_GET['src']) !== $_GET['src'] || // make sure no directory traversal + !preg_match('/^[a-z 0-9._-]+\.(jpe?g|png|gif|svg|ico)$/i', $_GET['src']) || // only allow images, not eg. Javascript! + !file_exists($path .= '/' . $_GET['src']) || + !($fp = fopen($path, 'r'))) + { + error_log(__FILE__ . ": _GET[src]='$_GET[src]', path=$path returning HTTP status 404 Not Found"); + http_response_code(404); + } + else + { + Api\Session::cache_control(864000); // 10 days + $size = filesize($path); + header('ETag: "' . md5($_GET['src'] . $size . filemtime($path)) . '"'); + header('Content-Type: ' . Api\MimeMagic::filename2mime($_GET['src'])); + header('Content-Length: ' . $size); + fpassthru($fp); + fclose($fp); + } + exit; }