-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathfile.php
45 lines (37 loc) · 1.44 KB
/
file.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
// phpcs:disable PSR1.Files.SideEffects.FoundWithSymbols
use dokuwiki\plugin\filelist\Path;
if (!defined('DOKU_INC')) define('DOKU_INC', __DIR__ . '/../../../');
if (!defined('NOSESSION')) define('NOSESSION', true); // we do not use a session or authentication here (better caching)
if (!defined('DOKU_DISABLE_GZIP_OUTPUT')) define('DOKU_DISABLE_GZIP_OUTPUT', 1); // we gzip ourself here
require_once(DOKU_INC . 'inc/init.php');
global $INPUT;
$syntax = plugin_load('syntax', 'filelist');
if (!$syntax) die('plugin disabled?');
$pathUtil = new Path($syntax->getConf('paths'));
$path = $INPUT->str('root') . $INPUT->str('file');
try {
$pathInfo = $pathUtil->getPathInfo($path, false);
if ($pathUtil::isWikiControlled($pathInfo['path'])) {
throw new Exception('Access to wiki files is not allowed');
}
if (!is_readable($pathInfo['path'])) {
header('Content-Type: text/plain');
http_status(404);
echo 'Path not readable: ' . $pathInfo['path'];
exit;
}
[$ext, $mime, $download] = mimetype($pathInfo['path'], false);
$basename = basename($pathInfo['path']);
header('Content-Type: ' . $mime);
if ($download) {
header('Content-Disposition: attachment; filename="' . $basename . '"');
}
http_sendfile($pathInfo['path']);
readfile($pathInfo['path']);
} catch (Exception $e) {
header('Content-Type: text/plain');
http_status(403);
echo $e->getMessage();
exit;
}