oops: Fix download of attachments from FAQ and Canned

84827513 · Jared Hancock · 65c06901 · 84827513 · 84827513 · 84827513
Commit 84827513 authored 11 years ago by Jared Hancock
--- a/include/class.attachment.php
+++ b/include/class.attachment.php
@@ -171,7 +171,6 @@ class GenericAttachments {
        $attachments = array();
        foreach ($this->attachments as $a) {
            if ($a['inline'] != $separate || $a['inline'] == $inlines) {
-                $a['key'] = md5($a['id'].session_id().$a['key']);
                $a['file_id'] = $a['id'];
                $attachments[] = $a;
            }

--- a/include/class.faq.php
+++ b/include/class.faq.php
@@ -195,7 +195,7 @@ class FAQ {
        if(($attachments=$this->attachments->getSeparates())) {
            foreach($attachments as $attachment ) {
            /* The h key must match validation in file.php */
-            $hash=$attachment['hash'].md5($attachment['id'].session_id().$attachment['hash']);
+            $hash=$attachment['key'].md5($attachment['id'].session_id().strtolower($attachment['key']));
            if($attachment['size'])
                $size=sprintf('&nbsp;<small>(<i>%s</i>)</small>',Format::file_size($attachment['size']));


--- a/include/class.file.php
+++ b/include/class.file.php
@@ -112,7 +112,8 @@ class AttachmentFile {
     * download this file
     */
    function getDownloadHash() {
-        return strtolower($this->getKey() . md5($this->getId().session_id().$this->getKey()));
+        return strtolower($this->getKey()
+            . md5($this->getId().session_id().strtolower($this->getKey())));
    }

    function open() {

--- a/include/staff/cannedresponse.inc.php
+++ b/include/staff/cannedresponse.inc.php
@@ -87,7 +87,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
                if($canned && ($files=$canned->attachments->getSeparates())) {
                    echo '<div id="canned_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
                    foreach($files as $file) {
-                        $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+                        $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
                        echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
                                      <a href="file.php?h=%s">%s</a>&nbsp;&nbsp;</label>&nbsp;',
                                      $file['id'], $file['id'], $hash, $file['name']);

--- a/include/staff/faq.inc.php
+++ b/include/staff/faq.inc.php
@@ -101,7 +101,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
                if($faq && ($files=$faq->attachments->getSeparates())) {
                    echo '<div class="faq_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
                    foreach($files as $file) {
-                        $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+                        $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
                        echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
                                      <a href="file.php?h=%s">%s</a>&nbsp;&nbsp;</label>&nbsp;',
                                      $file['id'], $file['id'], $hash, $file['name']);

--- a/scp/file.php
+++ b/scp/file.php
@@ -23,7 +23,7 @@ $h=trim($_GET['h']);
 //basic checks
 if(!$h  || strlen($h)!=64  //32*2
        || !($file=AttachmentFile::lookup(substr($h,0,32))) //first 32 is the file hash.
-        || strcasecmp(substr($h,-32),md5($file->getId().session_id().strtolower($file->getKey())))) //next 32 is file id + session hash.
+        || $file->getDownloadHash() != $h) //next 32 is file id + session hash.
    die('Unknown or invalid file. #'.Format::htmlchars($_GET['h']));

 $file->download();