<?php /* * SCROTT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR * OTHER DEALINGS IN THE SOFTWARE. * * For more information, please refer to UNLICENSE */ require_once "class/user.class.php"; require_once "class/mesg.class.php"; /* * This file is a proxy script for fetching resources from the /dynmic * directory. This script enforces access-control on HTTP objects such * as images and flat files which are supplied by users. * * Example request: * https://yourdomain.com/scrott/df.php?d=heads&f=a4bf903a * * In cases of error or lack of access privilege, this script will * produce no output and fail silently. */ /* * Serve the resource at the given URI in response to the current * request. When finished, this function will exit PHP and terminate * this script. */ function serveResource(string $uri, ?string $filename = NULL) : void { $f = fopen($uri, "rb"); if (!$f) exit; header("Content-Type: " . mime_content_type($uri)); header("Content-Length: " . filesize($uri)); if ($filename) header("Content-Disposition: attachment; filename=\"" . $filename . "\""); fpassthru($f); fclose($f); exit; } /* * Check the current user's permissions. User must have access * rights for the file's object, unless that object is a user * object and $allowHeadUser is set to true. */ function checkPermissions(string $guid, bool $allowHeadUser = false) : bool { if (!($user = user::getCurrent())) return false; $obj = new obj($guid); if ($allowHeadUser && $obj->objtype == "user") return true; return $user->canAccess($obj); } /* * Respond to users' requests for dynamic files */ function main(string $dir, string $guid) : void { try { if (basename($guid) != $guid || $guid == "") return; if (!checkPermissions($guid, $dir == "heads")) return; switch ($dir) { case "heads": if (file_exists("dynmic/heads/" . $guid)) serveResource("dynmic/heads/" . $guid); else serveResource("static/img/null.jpg"); break; case "bgs": serveResource("dynmic/bgs/" . $guid); break; case "attach": $mesg = new mesg($guid); serveResource("dynmic/attach/" . $guid, $mesg->attachment); break; } } catch (Exception $e) { /* fail silently */ } } main($_REQUEST['d'], $_REQUEST['f']); ?>