CRM/Core/Page/File.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  *
  14  * @package CRM
  15  * @copyright CiviCRM LLC https://civicrm.org/licensing
  16  */
  17 class CRM_Core_Page_File extends CRM_Core_Page {
  18
  19   /**
  20    * Run page.
  21    */
  22   public function run() {
  23     $action = CRM_Utils_Request::retrieve('action', 'String', $this);
  24     $download = CRM_Utils_Request::retrieve('download', 'Integer', $this, FALSE, 1);
  25     $disposition = $download == 0 ? 'inline' : 'download';
  26
  27     // Entity ID (e.g. Contact ID)
  28     $entityId = CRM_Utils_Request::retrieve('eid', 'Positive', $this, FALSE);
  29     // Field ID
  30     $fieldId = CRM_Utils_Request::retrieve('fid', 'Positive', $this, FALSE);
  31     // File ID
  32     $fileId = CRM_Utils_Request::retrieve('id', 'Positive', $this, FALSE);
  33     $fileName = CRM_Utils_Request::retrieve('filename', 'String', $this, FALSE);
  34     if (empty($fileName) && (empty($entityId) || empty($fileId))) {
  35       CRM_Core_Error::statusBounce("Cannot access file: Must pass either \"Filename\" or the combination of \"Entity ID\" + \"File ID\"");
  36     }
  37
  38     if (empty($fileName)) {
  39       $hash = CRM_Utils_Request::retrieve('fcs', 'Alphanumeric', $this);
  40       if (!CRM_Core_BAO_File::validateFileHash($hash, $entityId, $fileId)) {
  41         CRM_Core_Error::statusBounce('URL for file is not valid');
  42       }
  43
  44       list($path, $mimeType) = CRM_Core_BAO_File::path($fileId, $entityId);
  45     }
  46     else {
  47       if (!CRM_Utils_File::isValidFileName($fileName)) {
  48         throw new CRM_Core_Exception("Malformed filename");
  49       }
  50       $mimeType = '';
  51       $path = CRM_Core_Config::singleton()->customFileUploadDir . $fileName;
  52     }
  53
  54     if (!$path) {
  55       CRM_Core_Error::statusBounce('Could not retrieve the file');
  56     }
  57
  58     if (empty($mimeType)) {
  59       $passedInMimeType = self::convertBadMimeAliasTypes(CRM_Utils_Request::retrieveValue('mime-type', 'String', $mimeType, FALSE));
  60       if (!in_array($passedInMimeType, explode(',', Civi::settings()->get('requestableMimeTypes')))) {
  61         throw new CRM_Core_Exception("Supplied mime-type is not accepted");
  62       }
  63       $extension = CRM_Utils_File::getExtensionFromPath($path);
  64       $candidateExtensions = CRM_Utils_File::getAcceptableExtensionsForMimeType($passedInMimeType);
  65       if (!in_array(strtolower($extension), array_map('strtolower', $candidateExtensions))) {
  66         throw new CRM_Core_Exception("Supplied mime-type does not match file extension");
  67       }
  68       // Now that we have validated mime-type supplied as much as possible lets now set the MimeType variable/
  69       $mimeType = $passedInMimeType;
  70     }
  71
  72     $buffer = file_get_contents($path);
  73     if (!$buffer) {
  74       CRM_Core_Error::statusBounce('The file is either empty or you do not have permission to retrieve the file');
  75     }
  76
  77     if ($action & CRM_Core_Action::DELETE) {
  78       if (CRM_Utils_Request::retrieve('confirmed', 'Boolean')) {
  79         CRM_Core_BAO_File::deleteFileReferences($fileId, $entityId, $fieldId);
  80         CRM_Core_Session::setStatus(ts('The attached file has been deleted.'), ts('Complete'), 'success');
  81
  82         $session = CRM_Core_Session::singleton();
  83         $toUrl = $session->popUserContext();
  84         CRM_Utils_System::redirect($toUrl);
  85       }
  86     }
  87     else {
  88       CRM_Utils_System::download(
  89         CRM_Utils_File::cleanFileName(basename($path)),
  90         $mimeType,
  91         $buffer,
  92         NULL,
  93         TRUE,
  94         $disposition
  95       );
  96     }
  97   }
  98
  99   /**
 100    * Translate one mime type to another.
 101    *
 102    * Certain non-standard/weird MIME types have been common. Unfortunately, because
 103    * of the way this controller is used, the weird types may baked-into URLs.
 104    * We clean these up for compatibility.
 105    *
 106    * @param string $type
 107    *   Ex: 'image/jpg'
 108    * @return string
 109    *   Ex: 'image/jpeg'.
 110    */
 111   protected static function convertBadMimeAliasTypes($type) {
 112     $badTypes = [
 113       // Before PNG format was ubiquitous, it was image/x-png?
 114       'image/x-png' => 'image/png',
 115
 116       // People see "image/gif" and "image/png" and wrongly guess "image/jpg"?
 117       'image/jpg' => 'image/jpeg',
 118       'image/tif' => 'image/tiff',
 119       'image/svg' => 'image/svg+xml',
 120
 121       // StackExchange attributes "pjpeg" to some quirk in an old version of IE?
 122       'image/pjpeg' => 'image/jpeg',
 123
 124     ];
 125     return $badTypes[$type] ?? $type;
 126   }
 127
 128 }