extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2025-06-25 12:21:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

* Filemanager/Sharing: fix lost session on first load in sharing links with Firefox

Browse Source
This commit is contained in:
Ralf Becker 2020-03-17 20:38:14 +01:00
parent 83fd11f7c7
commit 04b83d4344
1 changed files with 28 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
api/anon_images.php
View File

@ -15,30 +15,38 @@ use EGroupware\Api;
$GLOBALS['egw_info'] = array('flags' => array( $GLOBALS['egw_info'] = array('flags' => array(
'disable_Template_class' => True, 'disable_Template_class' => True,
'login' => True, 'noheader' => True,
'currentapp' => 'login', // misuse session creation callback to send the image, in case we have no session
'autocreate_session_callback' => 'send_image',
'currentapp' => 'api',
)); ));
require('../header.inc.php'); require('../header.inc.php');
$path = $GLOBALS['egw_info']['server']['files_dir'].'/anon-images'; send_image();
if (!file_exists($path) || empty($_GET['src']) || function send_image()
{
$path = $GLOBALS['egw_info']['server']['files_dir'] . '/anon-images';
if (!file_exists($path) || empty($_GET['src']) ||
basename($_GET['src']) !== $_GET['src'] || // make sure no directory traversal basename($_GET['src']) !== $_GET['src'] || // make sure no directory traversal
!preg_match('/^[a-z 0-9._-]+\.(jpe?g|png|gif|svg|ico)$/i', $_GET['src']) || // only allow images, not eg. Javascript! !preg_match('/^[a-z 0-9._-]+\.(jpe?g|png|gif|svg|ico)$/i', $_GET['src']) || // only allow images, not eg. Javascript!
!file_exists($path .= '/'.$_GET['src']) || !file_exists($path .= '/' . $_GET['src']) ||
!($fp = fopen($path, 'r'))) !($fp = fopen($path, 'r')))
{ {
error_log(__FILE__.": _GET[src]='$_GET[src]', path=$path returning HTTP status 404 Not Found"); error_log(__FILE__ . ": _GET[src]='$_GET[src]', path=$path returning HTTP status 404 Not Found");
http_response_code(404); http_response_code(404);
} }
else else
{ {
Api\Session::cache_control(864000); // 10 days Api\Session::cache_control(864000); // 10 days
$size = filesize($path); $size = filesize($path);
header('ETag: "'.md5($_GET['src'].$size.filemtime($path)).'"'); header('ETag: "' . md5($_GET['src'] . $size . filemtime($path)) . '"');
header('Content-Type: '.Api\MimeMagic::filename2mime($_GET['src'])); header('Content-Type: ' . Api\MimeMagic::filename2mime($_GET['src']));
header('Content-Length: '.$size); header('Content-Length: ' . $size);
fpassthru($fp); fpassthru($fp);
fclose($fp); fclose($fp);
}
exit;
} }