1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
<?php
/**
* Functions related to the output of file content.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
/**
* Functions related to the output of file content
*/
class StreamFile {
// Do not send any HTTP headers unless requested by caller (e.g. body only)
const STREAM_HEADLESS = HTTPFileStreamer::STREAM_HEADLESS;
// Do not try to tear down any PHP output buffers
const STREAM_ALLOW_OB = HTTPFileStreamer::STREAM_ALLOW_OB;
/**
* Stream a file to the browser, adding all the headings and fun stuff.
* Headers sent include: Content-type, Content-Length, Last-Modified,
* and Content-Disposition.
*
* @param string $fname Full name and path of the file to stream
* @param array $headers Any additional headers to send if the file exists
* @param bool $sendErrors Send error messages if errors occur (like 404)
* @param array $optHeaders HTTP request header map (e.g. "range") (use lowercase keys)
* @param int $flags Bitfield of STREAM_* constants
* @throws MWException
* @return bool Success
*/
public static function stream(
$fname, $headers = [], $sendErrors = true, $optHeaders = [], $flags = 0
) {
if ( FileBackend::isStoragePath( $fname ) ) { // sanity
throw new InvalidArgumentException( __FUNCTION__ . " given storage path '$fname'." );
}
$streamer = new HTTPFileStreamer(
$fname,
[
'obResetFunc' => 'wfResetOutputBuffers',
'streamMimeFunc' => [ __CLASS__, 'contentTypeFromPath' ]
]
);
return $streamer->stream( $headers, $sendErrors, $optHeaders, $flags );
}
/**
* Send out a standard 404 message for a file
*
* @param string $fname Full name and path of the file to stream
* @param int $flags Bitfield of STREAM_* constants
* @since 1.24
*/
public static function send404Message( $fname, $flags = 0 ) {
HTTPFileStreamer::send404Message( $fname, $flags );
}
/**
* Convert a Range header value to an absolute (start, end) range tuple
*
* @param string $range Range header value
* @param int $size File size
* @return array|string Returns error string on failure (start, end, length)
* @since 1.24
*/
public static function parseRange( $range, $size ) {
return HTTPFileStreamer::parseRange( $range, $size );
}
/**
* Determine the file type of a file based on the path
*
* @param string $filename Storage path or file system path
* @param bool $safe Whether to do retroactive upload blacklist checks
* @return null|string
*/
public static function contentTypeFromPath( $filename, $safe = true ) {
global $wgTrivialMimeDetection;
$ext = strrchr( $filename, '.' );
$ext = $ext === false ? '' : strtolower( substr( $ext, 1 ) );
# trivial detection by file extension,
# used for thumbnails (thumb.php)
if ( $wgTrivialMimeDetection ) {
switch ( $ext ) {
case 'gif':
return 'image/gif';
case 'png':
return 'image/png';
case 'jpg':
return 'image/jpeg';
case 'jpeg':
return 'image/jpeg';
}
return 'unknown/unknown';
}
$magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer();
// Use the extension only, rather than magic numbers, to avoid opening
// up vulnerabilities due to uploads of files with allowed extensions
// but disallowed types.
$type = $magic->guessTypesForExtension( $ext );
/**
* Double-check some security settings that were done on upload but might
* have changed since.
*/
if ( $safe ) {
global $wgFileBlacklist, $wgCheckFileExtensions, $wgStrictFileExtensions,
$wgFileExtensions, $wgVerifyMimeType, $wgMimeTypeBlacklist;
list( , $extList ) = UploadBase::splitExtensions( $filename );
if ( UploadBase::checkFileExtensionList( $extList, $wgFileBlacklist ) ) {
return 'unknown/unknown';
}
if ( $wgCheckFileExtensions && $wgStrictFileExtensions
&& !UploadBase::checkFileExtensionList( $extList, $wgFileExtensions )
) {
return 'unknown/unknown';
}
if ( $wgVerifyMimeType && in_array( strtolower( $type ), $wgMimeTypeBlacklist ) ) {
return 'unknown/unknown';
}
}
return $type;
}
}
|
