We have to end the processing when a file is not found or otherwise the method is proceeding and even sending invalid file paths to the sendfile methods.
Due to nginx preventing directory traversals this is luckily not immediately exploitable. We should for hardening purposes however quit the script execution just as we do for 403 cases and others as well.
Do not send Content-Length headers with a value larger than PHP_INT_MAX
(2147483647) on Apache PHP SAPI 32-bit. PHP will eat them and send 2147483647
instead.
When X-Sendfile is enabled, Apache will send a correct Content-Length header,
even for files larger than 2147483647 bytes. When X-Sendfile is not enabled,
ownCloud will not send a Content-Length header. This prevents progress bars
from working, but allows the actual transfer to work properly.
Due to our CSP policy this link won’t work as it it considered as
inline Javascript.
This commit replaces the link with a static link to the files app.
Reimplementation of #8067 - fixes#7742
When detecting whether the file to be downloaded is on external storage,
the correct path needs to be used.
It turns out that \OC\Files\View is needed to resolve the path correctly
relative to the user's home.
- When all files are selected, do not send the whole file list
- Download will trigger download for the parent folder, also works
with root
- Delete will send "allfiles" to the server that will find the file
list or the passed directory by itself
Added isLocal() method to Storage to find out whether the storage is
local or not.
This method is used for the x-sendfile logic to find out whether to add
the headers.
cleaned up get() logic
fixed get() to only send headers if requested (xsendfile could get in the way)
do no longer readfile() when already using mod_xsendfile or similar
Added new OC\Response API called setContentDispositionHeader() that
contains the needed workarounds for UTF8 and IE.
Refactored download code to use the new API.
Removed unused trashbin download file.
Until now, addSendfileHeader() was called even when no x-send-file
headers were set. Even though the method itself doesn't do anything,
a call to getLocalFile() was done and would trigger a full download
when using external storage.
Additionally, the storage resolution code is wrong and always
returns the local storage of the root filesystem, which caused the code to
be run anyway.
This commit fixes both issues.
Thomas Müller
Lukas Reschke
Morris Jobke
Vincent Petry
Bjoern Schiessle
Robin McCorkell
Andreas Fischer
Jenkins for ownCloud
dratini0
Joas Schilling
Morris Jobke
Lukas Reschke
josh4trunks
Fabian Henze
Scrutinizer Auto-Fixer
Jörn Friedrich Dreyer
Nicolai Ehemann
Bart Visscher