get_noid.php

   1 <?php
   2 /************************************************************************/
   3 /* ATutor                                                                                                                               */
   4 /************************************************************************/
   5 /* Copyright (c) 2002-2008 by Greg Gay, Joel Kronenberg & Heidi Hazelton*/
   6 /* Adaptive Technology Resource Centre / University of Toronto                  */
   7 /* http://atutor.ca                                                                                                             */
   8 /*                                                                                                                                              */
   9 /* This program is free software. You can redistribute it and/or                */
  10 /* modify it under the terms of the GNU General Public License                  */
  11 /* as published by the Free Software Foundation.                                                */
  12 /************************************************************************/
  13 // $Id: get.php 6974 2007-06-15 18:44:37Z joel $
  14 define('AT_INCLUDE_PATH', 'include/');
  15 @ob_end_clean();
  16 header("Content-Encoding: none");
  17 if (isset($_GET['test'])) {
  18         header('HTTP/1.1 200 OK', TRUE);
  19         header('ATutor-Get: OK');
  20         exit;
  21 }
  22 $in_get = TRUE;
  23
  24 require(AT_INCLUDE_PATH . 'vitals.inc.php');
  25 require(AT_INCLUDE_PATH . 'lib/mime.inc.php');
  26
  27 $force_download = false;
  28
  29 //get path to file
  30 if (defined('AT_FORCE_GET_FILE') && AT_FORCE_GET_FILE) {
  31         if (!empty($_SERVER['PATH_INFO'])) {
  32         $current_file = $_SERVER['PATH_INFO'];
  33         } else if (!empty($_SERVER['REQUEST_URI'])) {
  34                 $current_file = $_SERVER['REQUEST_URI'];
  35     } else if (!empty($_SERVER['PHP_SELF'])) {
  36                 if (!empty($_SERVER['QUERY_STRING'])) {
  37             $current_file = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
  38         } else {
  39                 $current_file = $_SERVER['PHP_SELF'];
  40                 }
  41     } else if (!empty($_SERVER['SCRIPT_NAME'])) {
  42                 if (!empty($_SERVER['QUERY_STRING'])) {
  43             $current_file = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'];
  44         } else {
  45                 $current_file = $_SERVER['SCRIPT_NAME'];
  46                 }
  47     } else if (!empty($_SERVER['URL'])) {
  48         if (!empty($_SERVER['QUERY_STRING'])) {
  49             $current_file = $_SERVER['URL'] . '?' . $_SERVER['QUERY_STRING'];
  50         }
  51         $current_file = $_SERVER['URL'];
  52         }
  53
  54         if ($pos = strpos($current_file, '/get.php/') !== FALSE) {
  55                 $current_file = substr($current_file, $pos + strlen('/get.php/'));
  56         }
  57
  58         if (substr($current_file, 0, 2) == '/@') {
  59                 $force_download = true;
  60                 $current_file = substr($current_file, 2);
  61         }
  62 } else {
  63         $current_file = $_GET['f'];
  64
  65         if (substr($current_file, 0, 2) == '/@') {
  66                 $force_download = true;
  67                 $current_file = substr($current_file, 2);
  68         }
  69 }
  70
  71 $file_name = pathinfo($current_file);
  72 $file_name = $file_name['basename'];
  73
  74 if (substr($file_name, 0, 4) == 'b64:') {
  75         $base64_file_name = substr($file_name, 4);
  76         $file_name = base64_decode($base64_file_name);
  77         $current_file = '/'.$file_name;
  78 }
  79
  80 if (is_numeric(substr($current_file, 1, 1)) == true) {
  81     $course_num = substr($current_file, 1, 1);
  82     $current_file = substr($current_file, 2);
  83     $file = AT_CONTENT_DIR . $course_num . $current_file;
  84 } else {
  85     $file = AT_CONTENT_DIR . $_SESSION['course_id'] . $current_file;
  86 }
  87
  88 //send header mime type
  89 $pathinfo = pathinfo($file);
  90 $ext = $pathinfo['extension'];
  91 if ($ext == '') {
  92         $ext = 'application/octet-stream';
  93 } else {
  94         $ext = $mime[$ext][0];
  95 }
  96
  97 //check that this file is within the content directory & exists
  98
  99 // NOTE!! for some reason realpath() is not returning FALSE when the file doesn't exist!
 100 $real = realpath($file);
 101
 102 if (file_exists($real) && (substr($real, 0, strlen(AT_CONTENT_DIR)) == AT_CONTENT_DIR)) {
 103         if ($force_download) {
 104                 header('Content-Type: application/force-download');
 105                 header('Content-transfer-encoding: binary');
 106                 header('Content-Disposition: attachment; filename="'.$pathinfo['basename'].'"');
 107         } else {
 108                 header('Content-Disposition: filename="'.$pathinfo['basename'].'"');
 109         }
 110
 111         /**
 112          * although we can check if mod_xsendfile is installed in apache2
 113          * we can't actually check if it's enabled. also, we can't check if
 114          * it's enabled and installed in lighty, so instead we send the
 115          * header anyway, if it works then the line after it will not
 116          * execute. if it doesn't work, then the line after it will replace
 117          * it so that the full server path is not exposed.
 118          *
 119          * x-sendfile is supported in apache2 and lighttpd 1.5+ (previously
 120          * named x-send-file in lighttpd 1.4)
 121          */
 122         header('x-Sendfile: '.$real);
 123         header('x-Sendfile: ', TRUE); // if we get here then it didn't work
 124
 125         header('Content-Type: '.$ext);
 126
 127         @readfile($real);
 128         exit;
 129 } else {
 130         header('HTTP/1.1 404 Not Found', TRUE);
 131         exit;
 132 }
 133
 134 ?>