Only hash valid files, returns 404 when not found
[squasher.git] / webroot / squasher.php
1 <?php
2 if (!$_SESSION['creds']['validated'] && !isset($_GET['f']))
3         exit();
4
5 require_once("squasher.class.php");
6
7 $squashweb = new squashweb();
8 $squashweb->db = $db;
9
10 $squashweb->update_history();
11
12 $requestpath = @$_GET['path'];
13 if (!$requestpath || strlen($requestpath)<1 || $requestpath[0]!='/') {
14         $requestpath = '/';
15 }
16
17 if (@$_GET['f'] || @$_GET['tools']=='hide' || @$_GET['tools']=='unhide' || @$_GET['tools']=='delete') {
18         $getdeepfiles=true;
19         $populate=false;
20 } else {
21         $getdeepfiles=false;
22         $populate=true;
23 }
24
25 //update folder rights if form is posted
26 if (@$_POST['edited_user'] > 0 && @$_POST['formtype'] == 'folderrights')
27         $squashweb->update_rights($_POST['edited_user'], $_POST['m'], $_SESSION['creds']['user_level']);
28
29 //set folder rights
30 if (@$_GET['f'] || $_SESSION['creds']['user_level']>200) {
31         $squashweb->give_rights(-1); // full access
32 } else {
33         $squashweb->give_rights($_SESSION['creds']['user_id']);
34 }
35
36 if (@$_GET['f']) {
37         $f_q = "SELECT * FROM file_hash WHERE md5_hash = '".$db->real_escape_string($_GET['f'])."'";
38         $f_r = $db->query($f_q);
39         $f_o = mysqli_fetch_object($f_r);
40
41         //log downloads
42         log_event('download', $f_o->file, $_GET['f']);
43
44         $_hpath_arr=explode("/", $f_o->file);
45         $file=array_pop($_hpath_arr); //Remove filename
46         $path=implode("/", $_hpath_arr);
47         if (!$squashweb->read_single_file($path, $file)) {
48                 header('HTTP/1.0 404 Not found');
49                 echo('<h1>No file with that hash</h1>');
50                 exit();
51         }
52         #$squashweb->read_directory($path, false, true, false, false);
53 } else {
54         //parse folders for readable files
55         $squashweb->read_directory($requestpath, true, true, $getdeepfiles, $populate);
56 }
57
58 //check if a file is requested
59 if (@$_GET['f']) {
60         //get the config of requested file
61         $request = $squashweb->get_config($_GET['f']);
62
63         //show requested file
64         #header('Cache-control: private');
65         header('Content-Disposition: attachment; filename="'.$request[2].'"');
66         header("Content-Type: ".$request['mime']);
67         if ($request[3])
68                 header('Content-Length: '.$request[3]);
69         #@ob_flush();
70         @flush();
71         $squashweb->print_files($request['path'], $request[2]);
72
73 } elseif (@$_GET['tools']=="hide" && @$_GET['h']) {
74         if ($_SESSION['creds']['user_level'] > 99) {
75                 $request = $squashweb->get_config($_GET['h']);
76                 $handle = fopen(SQUASHER_UPLOADS_DIR.$request['path'].'/'.$request[2].'.hidden', 'x');
77                 fwrite($handle, 'hidden by '.$_SESSION['creds']['user_name']);
78                 fclose($handle);
79                 $path=$request['path'];
80                 header( 'Location: ?path='.$path) ;
81         }
82 } elseif (@$_GET['tools']=="unhide" && isset($_GET['h'])) {
83         if ($_SESSION['creds']['user_level'] > 99) {
84                 $request = $squashweb->get_config($_GET['h']);
85                 @unlink(SQUASHER_UPLOADS_DIR.$request['path'].'/'.$request[2].'.hidden');
86                 $path=$request['path'];
87                 header( 'Location: ?path='.$path) ;
88         }
89 } elseif (@$_GET['tools']=="delete" && isset($_GET['h'])) {
90         if ($_SESSION['creds']['user_level'] > 99) {
91                 if ($_GET['h'] == "multiple") {
92                         $h_post = $_POST['h'];
93                         foreach ($h_post as $h_key => $h) {
94                                 $request = $squashweb->get_config($h);
95                                 $squashweb->delete_file($h, $_SESSION['creds']);
96                         }
97                 } else {
98                         $h = $_GET['h'];
99                         $request = $squashweb->get_config($h);
100                         $squashweb->delete_file($h, $_SESSION['creds']);
101                 }
102                 $path=$request['path'];
103                 header( 'Location: ?path='.$path);
104         }
105
106 } elseif (@$_POST['tools']=="mkdir" && @$_POST['newname'] && $_SESSION['creds']['user_level'] > 99) {
107         $path = @$_GET['path'];
108         $nonemptypath = $path;
109         $newname = $_POST['newname'];
110         $subs = explode('/', $path);
111         if (in_array('..', $subs))
112                 die(); // Hard fails when trying to play above SQUASHER_UPLOADS_DIR
113         if ($squashweb->got_rights_array_admin($nonemptypath) > 0) {
114                 umask(002); // don't remove g+w
115                 mkdir(SQUASHER_UPLOADS_DIR.$path.'/'.$newname);
116         }
117         header( 'Location: ?path='.$path.'/'.$newname) ;
118         
119 } elseif (@$_POST['tools']=="rmdir" && isset($_GET['path']) && $_SESSION['creds']['user_level'] > 99) {
120         $path = $_GET['path'];
121         $subs = explode('/', $path);
122         if (in_array('..', $subs))
123                 die(); // Hard fails when trying to play above SQUASHER_UPLOADS_DIR
124         if ($squashweb->got_rights_array_admin($path) > 0) {
125                 rmdir(SQUASHER_UPLOADS_DIR.$path);
126         }
127         array_pop($subs);
128         $path=implode("/", $subs);
129         header( 'Location: ?path='.$path) ;
130         
131 } elseif (@$_GET['tools']=='access' && $_SESSION['creds']['user_level'] > 100) {
132
133         $smarty = get_smarty();
134
135         $smarty->assign('user_level', $_SESSION['creds']['user_level']);
136         $smarty->assign('user_name', $_SESSION['creds']['user_name']);
137         $smarty->assign('users', $squashweb->get_users($_SESSION['creds']['user_level']));
138
139         $smarty->assign('edited_user', @$_GET['user']);
140
141         $tree = $squashweb->show_rights_tree($requestpath, 0, @$_GET['user']);
142
143         $smarty->assign('style', $tree['style']);
144         $smarty->assign('layout', $tree['layout']);
145
146         $smarty->assign('debug', @$_GET['debug']);
147         $smarty->assign('folderrights', $squashweb->folderrights());
148         $smarty->assign('userrights', $squashweb->userrights());
149         $smarty->display('admin.tpl');
150
151 } elseif (@$_GET['tools']=='users' && $_SESSION['creds']['user_level'] > 100) {
152         /*
153         $type = @$_POST['type'];
154         if ($type=="disable")
155                 $squashweb->disable_users($_POST['u']);
156         */
157         $smarty = get_smarty();
158
159         $smarty->assign('user_level', $_SESSION['creds']['user_level']);
160         $smarty->assign('user_name', $_SESSION['creds']['user_name']);
161         $smarty->assign('user_id', $_SESSION['creds']['user_id']);
162
163         $smarty->assign('users', $squashweb->get_users($_SESSION['creds']['user_level']));
164
165         $smarty->assign('debug', @$_GET['debug']);
166
167         $smarty->display('udmin.tpl');
168
169 } elseif (@$_REQUEST['tools']=='edituser' && $_SESSION['creds']['user_level'] > 100) {
170         
171         $edited_user = @$_REQUEST['edited_user']; // user id
172         $users = $squashweb->get_users($_SESSION['creds']['user_level']);
173         $u = @$_REQUEST['u']; // new or edited data
174         if ($u) {
175                 if ($edited_user != NULL) {
176                         $squashweb->update_users($u, $edited_user);
177                 } else {
178                         // Simple admin don't have the user_level <tr>. Just set the value for them now:
179                         if ($_SESSION['creds']['user_level'] < 200)
180                                 $u['user_level'] = 55;
181                         $squashweb->insert_users($u, $_SESSION['creds']['user_level']);
182                 }
183                 header('302 done');
184                 header('Location: ?tools=users');
185         } else {
186                 $smarty = get_smarty();
187                 $smarty->assign('user_level', $_SESSION['creds']['user_level']);
188                 $smarty->assign('user_name', $_SESSION['creds']['user_name']);
189                 $smarty->assign('user_id', $_SESSION['creds']['user_id']);
190
191                 $smarty->assign('users', $users);
192                 $smarty->assign('edited_user', $edited_user);
193
194                 if (array_key_exists($edited_user, $users)) {
195                         $user = $users[$edited_user];
196                         if (!$user['enabled'])
197                                 $user['level'] = 0;
198                         $smarty->assign('u', $user);
199                 } else {
200                         $smarty->assign('u', NULL);
201                 }
202
203                 if ($_SESSION['creds']['user_level'] > 199) {
204                         $smarty->assign('user_levels', array(55 => 'User', 155 => 'Admin', 255 => 'Super admin', 0 => 'Disabled') );
205                 } else {
206                         $smarty->assign('user_levels', array(55 => 'User', 0 => 'Disabled') );
207                 }
208
209                 $smarty->assign('debug', @$_GET['debug']);
210                 $smarty->display('edit_user.tpl');
211         }
212
213 } elseif (@$_REQUEST['tools']=='deluser' && $_SESSION['creds']['user_level'] > 100) {
214         $edited_user = @$_REQUEST['edited_user']; // user id
215         $users = $squashweb->get_users($_SESSION['creds']['user_level']);
216         if (array_key_exists($edited_user, $users))
217                 $squashweb->remove_users($edited_user);
218         header('302 done');
219         header('Location: ?tools=users');
220         
221 } elseif (@$_GET['tools']=='logs' && $_SESSION['creds']['user_level'] > 100) {
222         $logtype=@$_GET['logtype'];
223         if (!$logtype)
224                 $logtype = 'all';
225
226         $smarty = get_smarty();
227
228         $smarty->assign('user_level', $_SESSION['creds']['user_level']);
229         $smarty->assign('user_name', $_SESSION['creds']['user_name']);
230         $smarty->assign('logtype', $logtype);
231         $smarty->assign('logs', $squashweb->get_logs($logtype));
232
233         $smarty->assign('debug', @$_GET['debug']);
234         $smarty->display('logs.tpl');
235
236 } else {
237         //show overview
238
239         $smarty = get_smarty();
240         /***
241         *       $config:: array
242         *       [0]     ->      versioncode
243         *       [1]     ->      date&time
244         *       [2]     ->      filename
245         *       [3]     ->      filesize
246         *       [4]     ->      chunksize
247         *       [5]     ->      chunkcount
248         *       [6]     ->      CRC32 checksum
249         ***/
250
251         $configs_num = $squashweb->get_configs();
252         $configs_sorted = named_records_sort($configs_num, 'lastchange', true);
253
254         $configs = array();
255
256         foreach ($configs_sorted as $key => $value) {
257                 $configs[$key]['squashed'] = $value['squashed'];
258                 $configs[$key]['version'] = $value[0];
259                 //$configs[$key]['date'] = $value[1]; //removed because user local creation date is irrelevant
260                 $configs[$key]['name'] = $value[2];
261                 $configs[$key]['size'] = $value[3];
262                 $configs[$key]['chunk_size'] = $value[4];
263                 $configs[$key]['chunks'] = $value[5];
264                 $configs[$key]['crc'] = $value[6];
265                 (strpos($value['mime'],'ideo')) ? $embedable=true : $embedable=false;
266                 (@array_sum($value['stats']) == $value[5]) ? $finished=true : $finished=false;
267
268                 $configs[$key]['embedable'] = $embedable;
269                 $configs[$key]['finished'] = $finished;
270                 $configs[$key]['mime'] = $value['mime'];
271                 $configs[$key]['status'] = $value['status'];
272                 $configs[$key]['hidden'] = $value['hidden'];
273                 $configs[$key]['chunks_finished'] = @array_sum($value['stats']);
274                 if ($finished) {
275                         $configs[$key]['chunks_partial'] = $configs[$key]['chunks_finished'];
276                 } else {
277                         $continue = true;
278                         foreach($value['stats'] as $sk => $sv) {
279                                 if ($continue) {
280                                         $configs[$key]['chunks_partial'] = $configs[$key]['chunks_partial']+$sv;
281                                         if ($sv != '1.00') $continue=false;
282                                 }
283                         }
284                 }
285                 $configs[$key]['date'] = date('d.m.y - H:i:s - T', $value['added']);
286                 $configs[$key]['lastchange'] = date('d.m.y - H:i:s - T', $value['lastchange']);
287         }
288
289
290         //set base folders
291         $basepath['/'] = 'top';
292         $bpath = '';
293         $path_fragments = explode('/', $requestpath);
294         if (in_array('..', $path_fragments)) {
295                 trigger_error("Unauthorized path ".$requestpath, E_USER_ERROR);
296                 die();
297         }
298         foreach ($path_fragments as $key => $value) {
299                 if ($value != '') {
300                         $bpath .= '/'.$value;
301                         $basepath[$bpath] = $value;
302                 }
303         }
304         $smarty->assign('debug', @$_GET['debug']);
305         $smarty->assign('user_level', $_SESSION['creds']['user_level']);
306         $smarty->assign('user_name', $_SESSION['creds']['user_name']);
307         $smarty->assign('folderrights', $squashweb->folderrights());
308
309         $smarty->assign('squashed', $configs);
310         $smarty->assign('base', $basepath);
311         $smarty->assign('currentfolder', $requestpath);
312         $subs = $squashweb->subfolders();
313         if ($subs)
314                 asort($subs);
315         $smarty->assign('subfolders', $subs);
316
317         //if(@$_GET[debug]) print_r($configs);
318         $smarty->display('index.tpl'); //Display normal template
319
320 }
321 // vim: syntax=php ts=4 sw=4 sts=4 sr noet
322 ?>