From d7442e00b8ee277938adaca3b83f814e0d67b432 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Thu, 20 Apr 2017 01:45:06 -0400
Subject: Add dynamic file proxy script

Entry point df.php, meaning dynamic file or direct file, added as a
means of serving user-supplied content while enforcing access-controls
in PHP.
---
 app/df.php | 102 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 app/df.php

(limited to 'app/df.php')

diff --git a/app/df.php b/app/df.php
new file mode 100644
index 0000000..a425d57
--- /dev/null
+++ b/app/df.php
@@ -0,0 +1,102 @@
+<?php
+
+/*
+ * SCROTT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * For more information, please refer to UNLICENSE
+ */
+
+require_once "class/user.class.php";
+
+/*
+ * This file is a proxy script for fetching resources from the /dynmic
+ * directory.  This script enforces access-control on HTTP objects such
+ * as images and flat files which are supplied by users.
+ *
+ * Example request:
+ * https://yourdomain.com/scrott/df.php?d=heads&f=a4bf903a
+ *
+ * In cases of error or lack of access privilege, this script will
+ * produce no output and fail silently.
+ */
+
+/*
+ * Serve the resource at the given URI in response to the current
+ * request.  When finished, this function will exit PHP and terminate
+ * this script.
+ */
+function serveResource(string $uri) : void
+{
+    $f = fopen($uri, "rb");
+
+    if (!$f)
+        exit;
+
+    header("Content-type: " . mime_content_type($uri));
+    header("Content-length: " . filesize($uri));
+    fpassthru($f);
+    fclose($f);
+
+    exit;
+}
+
+/*
+ * Check the current user's permissions.  User must have access
+ * rights for the file's object, unless that object is a user
+ * object and $allowHeadUser is set to true.
+ */
+function checkPermissions(string $guid, bool $allowHeadUser = false) : bool
+{
+    if (!($user = user::getCurrent()))
+        return false;
+
+    $obj = new object($guid);
+
+    if ($allowHeadUser && $obj->objtype == "user")
+        return true;
+
+    return $user->canAccess($obj);
+}
+
+/*
+ * Respond to users' requests for dynamic files
+ */
+function main(string $dir, string $guid) : void
+{
+    try
+    {
+        if (basename($guid) != $guid || $guid == "")
+            return;
+
+        if (!checkPermissions($guid, $dir == "heads"))
+            return;
+
+        switch ($dir)
+        {
+            case "heads":
+                if (file_exists("dynmic/heads/" . $guid))
+                    serveResource("dynmic/heads/" . $guid);
+                else
+                    serveResource("static/img/null.jpg");
+                break;
+
+            case "bgs":
+                serveResource("dynmic/bgs/" . $guid);
+                break;
+        }
+    }
+    catch (Exception $e)
+    {
+        /* fail silently */
+    }
+}
+
+main($_REQUEST['d'], $_REQUEST['f']);
+
+?>
-- 
cgit v1.2.3


From 138348bbd1318a3bc2ee5112eee44d385b21751e Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Sun, 4 Jun 2017 14:45:23 -0400
Subject: Update df function serveResource()

Added optional parameter for resource's filename.  If given, a
Content-Disposition header will be delivered to the client.
---
 app/df.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'app/df.php')

diff --git a/app/df.php b/app/df.php
index a425d57..9581cae 100644
--- a/app/df.php
+++ b/app/df.php
@@ -31,15 +31,19 @@ require_once "class/user.class.php";
  * request.  When finished, this function will exit PHP and terminate
  * this script.
  */
-function serveResource(string $uri) : void
+function serveResource(string $uri, ?string $filename = NULL) : void
 {
     $f = fopen($uri, "rb");
 
     if (!$f)
         exit;
 
-    header("Content-type: " . mime_content_type($uri));
-    header("Content-length: " . filesize($uri));
+    header("Content-Type: " . mime_content_type($uri));
+    header("Content-Length: " . filesize($uri));
+
+    if ($filename)
+        header("Content-Disposition: attachment; filename='" . $filename . "'");
+
     fpassthru($f);
     fclose($f);
 
-- 
cgit v1.2.3


From f43bd09b8287e3876b5a7396e6bb263c35e3972a Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Sun, 4 Jun 2017 14:59:25 -0400
Subject: Update df script to support message attachments

Now, if a mesg guid is requested under attach/, the attachment file is
served and offers the browser the content-disposition for that file.
---
 app/df.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'app/df.php')

diff --git a/app/df.php b/app/df.php
index 9581cae..92dd9dd 100644
--- a/app/df.php
+++ b/app/df.php
@@ -13,6 +13,7 @@
  */
 
 require_once "class/user.class.php";
+require_once "class/mesg.class.php";
 
 /*
  * This file is a proxy script for fetching resources from the /dynmic
@@ -93,6 +94,11 @@ function main(string $dir, string $guid) : void
             case "bgs":
                 serveResource("dynmic/bgs/" . $guid);
                 break;
+
+            case "attach":
+                $mesg = new mesg($guid);
+                serveResource("dynmic/attach/" . $guid, $mesg->attachment);
+                break;
         }
     }
     catch (Exception $e)
-- 
cgit v1.2.3


From d52b67bbc212f85cc6e80e107029bda4d4445b94 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Sun, 4 Jun 2017 18:03:16 -0400
Subject: Fix bug in function serveResource()

It is necessary to use double-quotes in the Content-Disposition header.
---
 app/df.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/df.php')

diff --git a/app/df.php b/app/df.php
index 92dd9dd..3f648ad 100644
--- a/app/df.php
+++ b/app/df.php
@@ -43,7 +43,7 @@ function serveResource(string $uri, ?string $filename = NULL) : void
     header("Content-Length: " . filesize($uri));
 
     if ($filename)
-        header("Content-Disposition: attachment; filename='" . $filename . "'");
+        header("Content-Disposition: attachment; filename=\"" . $filename . "\"");
 
     fpassthru($f);
     fclose($f);
-- 
cgit v1.2.3


From 0bae6d4063c82c6522e3a5887bc25a2162504b69 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Wed, 7 Feb 2018 22:37:26 -0500
Subject: Update df script to use renamed obj class

---
 app/df.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/df.php')

diff --git a/app/df.php b/app/df.php
index 3f648ad..6c23136 100644
--- a/app/df.php
+++ b/app/df.php
@@ -61,7 +61,7 @@ function checkPermissions(string $guid, bool $allowHeadUser = false) : bool
     if (!($user = user::getCurrent()))
         return false;
 
-    $obj = new object($guid);
+    $obj = new obj($guid);
 
     if ($allowHeadUser && $obj->objtype == "user")
         return true;
-- 
cgit v1.2.3


From 1f36f47e968f2249502f7649594f88500209c6e3 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Wed, 26 Sep 2018 16:16:32 -0400
Subject: df:  Address class cyclic require loop

A dependency loop exists between class/agent.class.php and
class/group.class.php.  Due to specific `require_once` ordering within
the app, this problem was not surfaced until now.

These two classes depend on eachother, but strictly speaking, the
interpreter needs to read the agent class first.  This is because group
directly inherits from agent.  It is only one of agent's functions which
references group.  Group has a `require_once "class/agent.class.php"` at
its top, so requiring group first will read both classes, in the correct
order, and provide their definition's for the remainder of the runtime.

The main entry-point, index.php, did not have this problem since it was
explicitly requiring group itself (it actually needs group, though).
The df.php entry-point wasn't and was relying on requires in the class/
directory to resolve this issue.  In a more-sane language, I could patch
this more easily directly in the affected file; rather, this patch
updates the df entry-point to explicitly require group, solving the
issue up front.

Hopefully this can be fleshed out in the future as it should not consern
the entry-points that this specific evaluation order needs to take
place.

The third and final entry-point, cron.php, is already fine at the time
of this commit.  Its require tree is much simplier, and does not even
include either of the affected classes.
---
 app/df.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app/df.php')

diff --git a/app/df.php b/app/df.php
index 6c23136..97cd055 100644
--- a/app/df.php
+++ b/app/df.php
@@ -13,6 +13,7 @@
  */
 
 require_once "class/user.class.php";
+require_once "class/group.class.php";
 require_once "class/mesg.class.php";
 
 /*
-- 
cgit v1.2.3