nextcloud/apps/files_sharing/ajax/publicpreview.php

<?php
/**
 * @copyright Copyright (c) 2016, ownCloud, Inc.
 *
 * @author Björn Schießle <bjoern@schiessle.org>
 * @author Georg Ehrke <georg@owncloud.com>
 * @author Lukas Reschke <lukas@statuscode.ch>
 * @author Morris Jobke <hey@morrisjobke.de>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 * @author Thomas Müller <thomas.mueller@tmit.eu>
 *
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */

OCP\JSON::checkAppEnabled('files_sharing');

\OC_User::setIncognitoMode(true);

$file = array_key_exists('file', $_GET) ? (string) $_GET['file'] : '';
$maxX = array_key_exists('x', $_GET) ? (int) $_GET['x'] : '32';
$maxY = array_key_exists('y', $_GET) ? (int) $_GET['y'] : '32';
$scalingUp = array_key_exists('scalingup', $_GET) ? (bool) $_GET['scalingup'] : true;
$token = array_key_exists('t', $_GET) ? (string) $_GET['t'] : '';
$keepAspect = array_key_exists('a', $_GET) ? true : false;

if($token === ''){
	\OC_Response::setStatus(\OC_Response::STATUS_BAD_REQUEST);
	\OCP\Util::writeLog('core-preview', 'No token parameter was passed', \OCP\Util::DEBUG);
	exit;
}

$linkedItem = \OCP\Share::getShareByToken($token);
$shareManager = \OC::$server->getShareManager();
$share = $shareManager->getShareByToken($token);
if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
	OCP\JSON::error(array('data' => 'Share is not readable.'));
	exit();
}

if($linkedItem === false || ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) {
	\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
	\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
	exit;
}

if(!isset($linkedItem['uid_owner']) || !isset($linkedItem['file_source'])) {
	\OC_Response::setStatus(\OC_Response::STATUS_INTERNAL_SERVER_ERROR);
	\OCP\Util::writeLog('core-preview', 'Passed token seems to be valid, but it does not contain all necessary information . ("' . $token . '")', \OCP\Util::WARN);
	exit;
}

$rootLinkItem = OCP\Share::resolveReShare($linkedItem);
$userId = $rootLinkItem['uid_owner'];

OCP\JSON::checkUserExists($rootLinkItem['uid_owner']);
\OC_Util::setupFS($userId);
\OC\Files\Filesystem::initMountPoints($userId);
$view = new \OC\Files\View('/' . $userId . '/files');

$pathId = $linkedItem['file_source'];
$path = $view->getPath($pathId);

if($path === null) {
	\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
	\OCP\Util::writeLog('core-preview', 'Could not resolve file for shared item', \OCP\Util::WARN);
	exit;
}

$pathInfo = $view->getFileInfo($path);
$sharedFile = null;

if($linkedItem['item_type'] === 'folder') {
	$isValid = \OC\Files\Filesystem::isValidPath($file);
	if(!$isValid) {
		\OC_Response::setStatus(\OC_Response::STATUS_BAD_REQUEST);
		\OCP\Util::writeLog('core-preview', 'Passed filename is not valid, might be malicious (file:"' . $file . '";ip:"' . \OC::$server->getRequest()->getRemoteAddress() . '")', \OCP\Util::WARN);
		exit;
	}
	$sharedFile = \OC\Files\Filesystem::normalizePath($file);
}

if($linkedItem['item_type'] === 'file') {
	$parent = $pathInfo['parent'];
	$path = $view->getPath($parent);
	$sharedFile = $pathInfo['name'];
}

$path = \OC\Files\Filesystem::normalizePath($path, false);
if(substr($path, 0, 1) === '/') {
	$path = substr($path, 1);
}

if($maxX === 0 || $maxY === 0) {
	\OC_Response::setStatus(\OC_Response::STATUS_BAD_REQUEST);
	\OCP\Util::writeLog('core-preview', 'x and/or y set to 0', \OCP\Util::DEBUG);
	exit;
}

$root = 'files/' . $path;

try{
	$preview = new \OC\Preview($userId, $root);
	$preview->setFile($sharedFile);
	$preview->setMaxX($maxX);
	$preview->setMaxY($maxY);
	$preview->setScalingUp($scalingUp);
	$preview->setKeepAspect($keepAspect);

	$preview->showPreview();
} catch (\Exception $e) {
	\OC_Response::setStatus(\OC_Response::STATUS_INTERNAL_SERVER_ERROR);
	\OCP\Util::writeLog('core', $e->getmessage(), \OCP\Util::DEBUG);
}
style fixes 2013-07-30 14:29:12 +04:00			`<?php`
			`/**`
Fix apps/ 2016-07-21 17:49:16 +03:00			`* @copyright Copyright (c) 2016, ownCloud, Inc.`
			`*`
Update license headers 2016-05-26 20:56:05 +03:00			`* @author Björn Schießle <bjoern@schiessle.org>`
Update license headers 2015-03-26 13:44:34 +03:00			`* @author Georg Ehrke <georg@owncloud.com>`
Update license headers 2016-05-26 20:56:05 +03:00			`* @author Lukas Reschke <lukas@statuscode.ch>`
Update license headers 2015-03-26 13:44:34 +03:00			`* @author Morris Jobke <hey@morrisjobke.de>`
Fix apps/ 2016-07-21 17:49:16 +03:00			`* @author Roeland Jago Douma <roeland@famdouma.nl>`
Update license headers 2015-03-26 13:44:34 +03:00			`* @author Thomas Müller <thomas.mueller@tmit.eu>`
			`*`
			`* @license AGPL-3.0`
			`*`
			`* This code is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License, version 3,`
			`* as published by the Free Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License, version 3,`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>`
			`*`
style fixes 2013-07-30 14:29:12 +04:00			`*/`
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36. 2015-02-26 13:37:37 +03:00
Cleanup code a little bit - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid 2014-05-04 17:51:08 +04:00			`OCP\JSON::checkAppEnabled('files_sharing');`
style fixes 2013-07-30 14:29:12 +04:00
fix public preview creation if a user ios logged in 2013-11-27 21:35:52 +04:00			`\OC_User::setIncognitoMode(true);`

don't urldecode get var, php does this automatically 2014-01-11 14:51:28 +04:00			`$file = array_key_exists('file', $_GET) ? (string) $_GET['file'] : '';`
Change small thumbnails to 32 px * fixes #16913 * fixes issues in IE8 where the thumbnail is too big 2015-09-30 11:49:48 +03:00			`$maxX = array_key_exists('x', $_GET) ? (int) $_GET['x'] : '32';`
			`$maxY = array_key_exists('y', $_GET) ? (int) $_GET['y'] : '32';`
style fixes 2013-07-30 14:29:12 +04:00			`$scalingUp = array_key_exists('scalingup', $_GET) ? (bool) $_GET['scalingup'] : true;`
			`$token = array_key_exists('t', $_GET) ? (string) $_GET['t'] : '';`
Images on public sharing get downscaled to increase use experience - this will speed up loading time - adding keep aspect to core/ajax/preview.php - remove duplicate method Preview::show() - no more hard coded mimetype of preview - remove .png from the preview urls - keep old route preview.png for backwards compatibility - aspect preserving previews are now cached 2014-04-29 19:07:10 +04:00			`$keepAspect = array_key_exists('a', $_GET) ? true : false;`
style fixes 2013-07-30 14:29:12 +04:00
			`if($token === ''){`
Cleanup code a little bit - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid 2014-05-04 17:51:08 +04:00			`\OC_Response::setStatus(\OC_Response::STATUS_BAD_REQUEST);`
Move core apps from OC_Log::write to OCP\Util 2015-04-09 13:36:10 +03:00			`\OCP\Util::writeLog('core-preview', 'No token parameter was passed', \OCP\Util::DEBUG);`
style fixes 2013-07-30 14:29:12 +04:00			`exit;`
			`}`

			`$linkedItem = \OCP\Share::getShareByToken($token);`
Prevent access to shareinfo if share if read-only 2016-06-08 16:38:11 +03:00			`$shareManager = \OC::$server->getShareManager();`
			`$share = $shareManager->getShareByToken($token);`
			`if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {`
			`OCP\JSON::error(array('data' => 'Share is not readable.'));`
			`exit();`
			`}`

style fixes 2013-07-30 14:29:12 +04:00			`if($linkedItem === false \|\| ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) {`
Cleanup code a little bit - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid 2014-05-04 17:51:08 +04:00			`\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);`
Move core apps from OC_Log::write to OCP\Util 2015-04-09 13:36:10 +03:00			`\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);`
style fixes 2013-07-30 14:29:12 +04:00			`exit;`
			`}`

			`if(!isset($linkedItem['uid_owner']) \|\| !isset($linkedItem['file_source'])) {`
Cleanup code a little bit - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid 2014-05-04 17:51:08 +04:00			`\OC_Response::setStatus(\OC_Response::STATUS_INTERNAL_SERVER_ERROR);`
Move core apps from OC_Log::write to OCP\Util 2015-04-09 13:36:10 +03:00			`\OCP\Util::writeLog('core-preview', 'Passed token seems to be valid, but it does not contain all necessary information . ("' . $token . '")', \OCP\Util::WARN);`
style fixes 2013-07-30 14:29:12 +04:00			`exit;`
			`}`

fix preview for reshared file 2013-12-22 23:27:38 +04:00			`$rootLinkItem = OCP\Share::resolveReShare($linkedItem);`
			`$userId = $rootLinkItem['uid_owner'];`

OC_Util::setupFS($user) will create a data dir for the given string - no matter if the user really exists - OCP\JSON::checkUserExists($owner); introduces a ready to use check which will bail out with an JSON error 2014-01-21 14:32:30 +04:00			`OCP\JSON::checkUserExists($rootLinkItem['uid_owner']);`
style fixes 2013-07-30 14:29:12 +04:00			`\OC_Util::setupFS($userId);`
fix public preview creation if a user ios logged in 2013-11-27 21:35:52 +04:00			`\OC\Files\Filesystem::initMountPoints($userId);`
			`$view = new \OC\Files\View('/' . $userId . '/files');`
style fixes 2013-07-30 14:29:12 +04:00
			`$pathId = $linkedItem['file_source'];`
fix public preview creation if a user ios logged in 2013-11-27 21:35:52 +04:00			`$path = $view->getPath($pathId);`
Verify if path exists We need to verify if the specified path exists to gracefully prevent errors. 2015-06-17 16:06:50 +03:00
			`if($path === null) {`
Throw nicer error message instead 500 2015-06-17 16:36:54 +03:00			`\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);`
Remove OC_Log 2015-07-03 15:06:40 +03:00			`\OCP\Util::writeLog('core-preview', 'Could not resolve file for shared item', \OCP\Util::WARN);`
Throw nicer error message instead 500 2015-06-17 16:36:54 +03:00			`exit;`
Verify if path exists We need to verify if the specified path exists to gracefully prevent errors. 2015-06-17 16:06:50 +03:00			`}`

fix public preview creation if a user ios logged in 2013-11-27 21:35:52 +04:00			`$pathInfo = $view->getFileInfo($path);`
style fixes 2013-07-30 14:29:12 +04:00			`$sharedFile = null;`

			`if($linkedItem['item_type'] === 'folder') {`
Cleanup code a little bit - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid 2014-05-04 17:51:08 +04:00			`$isValid = \OC\Files\Filesystem::isValidPath($file);`
			`if(!$isValid) {`
			`\OC_Response::setStatus(\OC_Response::STATUS_BAD_REQUEST);`
Move core apps from OC_Log::write to OCP\Util 2015-04-09 13:36:10 +03:00			`\OCP\Util::writeLog('core-preview', 'Passed filename is not valid, might be malicious (file:"' . $file . '";ip:"' . \OC::$server->getRequest()->getRemoteAddress() . '")', \OCP\Util::WARN);`
style fixes 2013-07-30 14:29:12 +04:00			`exit;`
			`}`
			`$sharedFile = \OC\Files\Filesystem::normalizePath($file);`
			`}`

			`if($linkedItem['item_type'] === 'file') {`
			`$parent = $pathInfo['parent'];`
fix public preview creation if a user ios logged in 2013-11-27 21:35:52 +04:00			`$path = $view->getPath($parent);`
style fixes 2013-07-30 14:29:12 +04:00			`$sharedFile = $pathInfo['name'];`
			`}`

			`$path = \OC\Files\Filesystem::normalizePath($path, false);`
			`if(substr($path, 0, 1) === '/') {`
			`$path = substr($path, 1);`
			`}`

			`if($maxX === 0 \|\| $maxY === 0) {`
Cleanup code a little bit - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid 2014-05-04 17:51:08 +04:00			`\OC_Response::setStatus(\OC_Response::STATUS_BAD_REQUEST);`
Move core apps from OC_Log::write to OCP\Util 2015-04-09 13:36:10 +03:00			`\OCP\Util::writeLog('core-preview', 'x and/or y set to 0', \OCP\Util::DEBUG);`
style fixes 2013-07-30 14:29:12 +04:00			`exit;`
			`}`

			`$root = 'files/' . $path;`

			`try{`
			`$preview = new \OC\Preview($userId, $root);`
			`$preview->setFile($sharedFile);`
			`$preview->setMaxX($maxX);`
			`$preview->setMaxY($maxY);`
			`$preview->setScalingUp($scalingUp);`
Images on public sharing get downscaled to increase use experience - this will speed up loading time - adding keep aspect to core/ajax/preview.php - remove duplicate method Preview::show() - no more hard coded mimetype of preview - remove .png from the preview urls - keep old route preview.png for backwards compatibility - aspect preserving previews are now cached 2014-04-29 19:07:10 +04:00			`$preview->setKeepAspect($keepAspect);`
style fixes 2013-07-30 14:29:12 +04:00
Images on public sharing get downscaled to increase use experience - this will speed up loading time - adding keep aspect to core/ajax/preview.php - remove duplicate method Preview::show() - no more hard coded mimetype of preview - remove .png from the preview urls - keep old route preview.png for backwards compatibility - aspect preserving previews are now cached 2014-04-29 19:07:10 +04:00			`$preview->showPreview();`
fix code style of try catch blocks 2013-07-30 15:43:15 +04:00			`} catch (\Exception $e) {`
Cleanup code a little bit - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid 2014-05-04 17:51:08 +04:00			`\OC_Response::setStatus(\OC_Response::STATUS_INTERNAL_SERVER_ERROR);`
Move core apps from OC_Log::write to OCP\Util 2015-04-09 13:36:10 +03:00			`\OCP\Util::writeLog('core', $e->getmessage(), \OCP\Util::DEBUG);`
OC_Util::setupFS($user) will create a data dir for the given string - no matter if the user really exists - OCP\JSON::checkUserExists($owner); introduces a ready to use check which will bail out with an JSON error 2014-01-21 14:32:30 +04:00			`}`