CRM/Core/Page/File.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  *
  14  * @package CRM
  15  * @copyright CiviCRM LLC https://civicrm.org/licensing
  16  * $Id$
  17  *
  18  */
  19 class CRM_Core_Page_File extends CRM_Core_Page {
  20
  21   /**
  22    * Run page.
  23    */
  24   public function run() {
  25     $action = CRM_Utils_Request::retrieve('action', 'String', $this);
  26     $download = CRM_Utils_Request::retrieve('download', 'Integer', $this, FALSE, 1);
  27     $disposition = $download == 0 ? 'inline' : 'download';
  28
  29     // Entity ID (e.g. Contact ID)
  30     $entityId = CRM_Utils_Request::retrieve('eid', 'Positive', $this, FALSE);
  31     // Field ID
  32     $fieldId = CRM_Utils_Request::retrieve('fid', 'Positive', $this, FALSE);
  33     // File ID
  34     $fileId = CRM_Utils_Request::retrieve('id', 'Positive', $this, FALSE);
  35     $fileName = CRM_Utils_Request::retrieve('filename', 'String', $this, FALSE);
  36     if (empty($fileName) && (empty($entityId) || empty($fileId))) {
  37       CRM_Core_Error::statusBounce("Cannot access file: Must pass either \"Filename\" or the combination of \"Entity ID\" + \"File ID\"");
  38     }
  39
  40     if (empty($fileName)) {
  41       $hash = CRM_Utils_Request::retrieve('fcs', 'Alphanumeric', $this);
  42       if (!CRM_Core_BAO_File::validateFileHash($hash, $entityId, $fileId)) {
  43         CRM_Core_Error::statusBounce('URL for file is not valid');
  44       }
  45
  46       list($path, $mimeType) = CRM_Core_BAO_File::path($fileId, $entityId);
  47     }
  48     else {
  49       if (!CRM_Utils_File::isValidFileName($fileName)) {
  50         throw new CRM_Core_Exception("Malformed filename");
  51       }
  52       $mimeType = '';
  53       $path = CRM_Core_Config::singleton()->customFileUploadDir . $fileName;
  54     }
  55
  56     if (!$path) {
  57       CRM_Core_Error::statusBounce('Could not retrieve the file');
  58     }
  59
  60     if (empty($mimeType)) {
  61       $passedInMimeType = self::convertBadMimeAliasTypes(CRM_Utils_Request::retrieveValue('mime-type', 'String', $mimeType, FALSE));
  62       if (!in_array($passedInMimeType, explode(',', Civi::settings()->get('requestableMimeTypes')))) {
  63         throw new CRM_Core_Exception("Supplied mime-type is not accepted");
  64       }
  65       $extension = CRM_Utils_File::getExtensionFromPath($path);
  66       $candidateExtensions = CRM_Utils_File::getAcceptableExtensionsForMimeType($passedInMimeType);
  67       if (!in_array(strtolower($extension), array_map('strtolower', $candidateExtensions))) {
  68         throw new CRM_Core_Exception("Supplied mime-type does not match file extension");
  69       }
  70       // Now that we have validated mime-type supplied as much as possible lets now set the MimeType variable/
  71       $mimeType = $passedInMimeType;
  72     }
  73
  74     $buffer = file_get_contents($path);
  75     if (!$buffer) {
  76       CRM_Core_Error::statusBounce('The file is either empty or you do not have permission to retrieve the file');
  77     }
  78
  79     if ($action & CRM_Core_Action::DELETE) {
  80       if (CRM_Utils_Request::retrieve('confirmed', 'Boolean')) {
  81         CRM_Core_BAO_File::deleteFileReferences($fileId, $entityId, $fieldId);
  82         CRM_Core_Session::setStatus(ts('The attached file has been deleted.'), ts('Complete'), 'success');
  83
  84         $session = CRM_Core_Session::singleton();
  85         $toUrl = $session->popUserContext();
  86         CRM_Utils_System::redirect($toUrl);
  87       }
  88     }
  89     else {
  90       CRM_Utils_System::download(
  91         CRM_Utils_File::cleanFileName(basename($path)),
  92         $mimeType,
  93         $buffer,
  94         NULL,
  95         TRUE,
  96         $disposition
  97       );
  98     }
  99   }
 100
 101   /**
 102    * Translate one mime type to another.
 103    *
 104    * Certain non-standard/weird MIME types have been common. Unfortunately, because
 105    * of the way this controller is used, the weird types may baked-into URLs.
 106    * We clean these up for compatibility.
 107    *
 108    * @param string $type
 109    *   Ex: 'image/jpg'
 110    * @return string
 111    *   Ex: 'image/jpeg'.
 112    */
 113   protected static function convertBadMimeAliasTypes($type) {
 114     $badTypes = [
 115       // Before PNG format was ubiquitous, it was image/x-png?
 116       'image/x-png' => 'image/png',
 117
 118       // People see "image/gif" and "image/png" and wrongly guess "image/jpg"?
 119       'image/jpg' => 'image/jpeg',
 120       'image/tif' => 'image/tiff',
 121       'image/svg' => 'image/svg+xml',
 122
 123       // StackExchange attributes "pjpeg" to some quirk in an old version of IE?
 124       'image/pjpeg' => 'image/jpeg',
 125
 126     ];
 127     return $badTypes[$type] ?? $type;
 128   }
 129
 130 }