Merge pull request #530 from greezybacon/issue/file-oops

oops: Fix several issues for files and downloads

Reviewed-By: Peter Rotich <peter@osticket.com>

include/class.attachment.php

@@ -171,7 +171,6 @@ class GenericAttachments {
         $attachments = array();
         foreach ($this->attachments as $a) {
             if ($a['inline'] != $separate || $a['inline'] == $inlines) {
-                $a['key'] = md5($a['id'].session_id().$a['key']);
                 $a['file_id'] = $a['id'];
                 $attachments[] = $a;
             }

include/class.faq.php

@@ -195,7 +195,7 @@ class FAQ {
         if(($attachments=$this->attachments->getSeparates())) {
             foreach($attachments as $attachment ) {
             /* The h key must match validation in file.php */
-            $hash=$attachment['hash'].md5($attachment['id'].session_id().$attachment['hash']);
+            $hash=$attachment['key'].md5($attachment['id'].session_id().strtolower($attachment['key']));
             if($attachment['size'])
                 $size=sprintf('&nbsp;<small>(<i>%s</i>)</small>',Format::file_size($attachment['size']));
 

include/class.file.php

@@ -112,7 +112,8 @@ class AttachmentFile {
      * download this file
      */
     function getDownloadHash() {
-        return strtolower($this->getKey() . md5($this->getId().session_id().$this->getKey()));
+        return strtolower($this->getKey()
+            . md5($this->getId().session_id().strtolower($this->getKey())));
     }
 
     function open() {
@@ -200,7 +201,8 @@ class AttachmentFile {
         if ($bk->sendRedirectUrl('inline'))
             return;
         $this->makeCacheable();
-        Http::download($this->getName(), $this->getType() ?: 'application/octet-stream');
+        Http::download($this->getName(), $this->getType() ?: 'application/octet-stream',
+            null, 'inline');
         header('Content-Length: '.$this->getSize());
         $this->sendData(false);
         exit();

include/class.format.php

@@ -383,7 +383,7 @@ class Format {
 
 
     function viewableImages($html, $script='image.php') {
-        return preg_replace_callback('/"cid:([\w.-_]{32})"/',
+        return preg_replace_callback('/"cid:([\w._-]{32})"/',
         function($match) use ($script) {
             $hash = $match[1];
             if (!($file = AttachmentFile::lookup($hash)))

include/class.http.php

@@ -95,14 +95,15 @@ class Http {
             return "filename*=UTF-8''".rawurlencode($filename);
     }
 
-    function download($filename, $type, $data=null) {
+    function download($filename, $type, $data=null, $disposition='attachment') {
         header('Pragma: private');
         header('Expires: 0');
         header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
         header('Cache-Control: private');
         header('Content-Type: '.$type);
-        header('Content-Disposition: attachment; %s;',
-            self::getDispositionFilename(basename($filename)));
+        header(sprintf('Content-Disposition: %s; %s',
+            $disposition,
+            self::getDispositionFilename(basename($filename))));
         header('Content-Transfer-Encoding: binary');
         if ($data !== null) {
             header('Content-Length: '.strlen($data));

include/staff/cannedresponse.inc.php

@@ -87,7 +87,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
                 if($canned && ($files=$canned->attachments->getSeparates())) {
                     echo '<div id="canned_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
                     foreach($files as $file) {
-                        $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+                        $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
                         echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
                                       <a href="file.php?h=%s">%s</a>&nbsp;&nbsp;</label>&nbsp;',
                                       $file['id'], $file['id'], $hash, $file['name']);

include/staff/faq.inc.php

@@ -101,7 +101,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
                 if($faq && ($files=$faq->attachments->getSeparates())) {
                     echo '<div class="faq_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
                     foreach($files as $file) {
-                        $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+                        $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
                         echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
                                       <a href="file.php?h=%s">%s</a>&nbsp;&nbsp;</label>&nbsp;',
                                       $file['id'], $file['id'], $hash, $file['name']);

scp/file.php

@@ -23,7 +23,7 @@ $h=trim($_GET['h']);
 //basic checks
 if(!$h  || strlen($h)!=64  //32*2
         || !($file=AttachmentFile::lookup(substr($h,0,32))) //first 32 is the file hash.
-        || strcasecmp(substr($h,-32),md5($file->getId().session_id().strtolower($file->getKey())))) //next 32 is file id + session hash.
+        || $file->getDownloadHash() != $h) //next 32 is file id + session hash.
     die('Unknown or invalid file. #'.Format::htmlchars($_GET['h']));
 
 $file->download();