From e009b1e84dcbcc83f39652695eb86c6e64cc6a11 Mon Sep 17 00:00:00 2001
From: root
Date: Wed, 26 Mar 2014 03:07:06 +0100
Subject: Now conform to HTTP/1.1. Also integrated func_download.

---
 blob/nginx_rewrite_rules        |  5 ++++-
 www/constants.php               |  4 ++++
 www/functions/func_delete.php   |  2 +-
 www/functions/func_download.php | 26 +++++++++++++++++++-------
 www/functions/func_invite.php   |  4 ++--
 www/functions/func_rewrite.php  |  2 +-
 www/include.php                 |  8 ++++++++
 www/index.php                   | 40 ++++++++++++++++++++++++++++++++--------
 www/setup.php                   |  2 +-
 9 files changed, 72 insertions(+), 21 deletions(-)

diff --git a/blob/nginx_rewrite_rules b/blob/nginx_rewrite_rules
index 1d6973d..34a4f20 100755
--- a/blob/nginx_rewrite_rules
+++ b/blob/nginx_rewrite_rules
@@ -24,11 +24,14 @@ location ~* ^/?invite/?(\?[0-9a-zA-Z]+(=[0-9a-zA-Z]*)?)?$ {
 	rewrite ^/?invite(\?[0-9a-zA-Z]*(=[0-9a-zA-Z]*)?)?	/index.php?task=invite&arguments=$1	last;
 }
 
-
 location ~* ^/?user/?(\?[0-9a-zA-Z]+(=[0-9a-zA-Z]*)?)?$ {
         rewrite ^/?user(\?[0-9a-zA-Z]*(=[0-9a-zA-Z]*)?)?	/index.php?task=user&arguments=$1     	last;
 }
 
+location ~* ^/?download/?(\?[0-9a-zA-Z]+(=[0-9a-zA-Z]*)?)?$ {
+        rewrite ^/?download(\?[0-9a-zA-Z]*(=[0-9a-zA-Z]*)?)?	/index.php?task=download&arguments=$1    last;
+}
+
 #location ~* \.php(\?[0-9a-zA-Z]+(=[0-9a-zA-Z]*)?)?$ {}		#empty block to catch all
 
 location / {
diff --git a/www/constants.php b/www/constants.php
index 9e0514b..15db956 100644
--- a/www/constants.php
+++ b/www/constants.php
@@ -71,3 +71,7 @@ define("DELETE_FOLDER_NOT_EMPTY", 55);
 define("FOLDER_NOT_PUBLIC", 56);
 define("FILE_NOT_FOUND", 57);
 define("EMPTY_FOLDER", 58);
+
+define("DOWNLOAD_FALSE_ID", 59);
+define("DOWNLOAD_NOT_FILE", 60);
+define("DOWNLOAD_PRIVATE_FILE", 61);
diff --git a/www/functions/func_delete.php b/www/functions/func_delete.php
index a79cd36..17da1c4 100644
--- a/www/functions/func_delete.php
+++ b/www/functions/func_delete.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
-	expected state: tested; but broken
+	expected state: tested?; but broken
 */
 
 function delete_file($user, $path){
diff --git a/www/functions/func_download.php b/www/functions/func_download.php
index 5770da4..e3e36aa 100644
--- a/www/functions/func_download.php
+++ b/www/functions/func_download.php
@@ -1,8 +1,7 @@
 <?php
 
 /*
-	Expected state: tested, but broken.
-	Works if you are loged in, fatal error if not.
+	Expected state: tested, should work.
 */
 
 function check_if_file($db, $name, $folder_path){
@@ -63,11 +62,21 @@ function start_file_download($user, $path){
 }
 
 function check_file_hash($db, $file_id, $download_hash){
-	$check_hash_db = $db->query("SELECT share FROM files WHERE id=" . SQLite3::escapeString($file_id).";");
+	if(preg_match("/[^0-9]/", $file_id)){
+		return DOWNLOAD_FALSE_ID;
+	}
+
+	$check_hash_db = $db->query("SELECT folder, share FROM files WHERE id=" . SQLite3::escapeString($file_id).";");
 	$check_hash_ar = $check_hash_db->fetchArray(SQLITE3_NUM);
 
-	if(($check_hash_ar[0] != "PUBLIC") || ($check_hash_ar[0] != $download_hash)){
-		return false;
+	if($check_hash_ar[0] != "FILE"){
+		return DOWNLOAD_NOT_FILE;
+	}
+
+	if($check_hash_ar[1] != "PUBLIC"){
+		if($check_hash_ar[0] != $download_hash){
+			return DOWNLOAD_PRIVATE_FILE;
+		}
 	}
 
 	if(!download_file($db, $file_id)){
@@ -80,12 +89,13 @@ function check_file_hash($db, $file_id, $download_hash){
 
 function download_file($db, $file_id){
 
-	$file_db = $db->query("SELECT name, mime, hash FROM files WHERE id=". SQLite3::escapeString($file_id).";");
+	$file_db = $db->query("SELECT name, mime, size, hash FROM files WHERE id=". SQLite3::escapeString($file_id).";");
 	$file_ar = $file_db->fetchArray(SQLITE3_NUM);
 
 	$file_name = $file_ar[0];
 	$file_mime = $file_ar[1];
-	$file_hash = $file_ar[2];
+	$file_size = $file_ar[2];
+	$file_hash = $file_ar[3];
 
 	$uploaddir = "../files/";
 	$gzip_file = $uploaddir . $file_hash . ".gz";
@@ -94,6 +104,8 @@ function download_file($db, $file_id){
 
 	header("Content-Type: ".$file_mime);
 	header("Content-Disposition: attachment; filename=\"".$file_name."\"");
+	header("Content-Length: ".$file_size);
+	set_time_limit(0);
 	$uncompressed_file = readgzfile($gzip_file);
 
 	if($uncompressed_file){
diff --git a/www/functions/func_invite.php b/www/functions/func_invite.php
index b37ea09..00a678d 100755
--- a/www/functions/func_invite.php
+++ b/www/functions/func_invite.php
@@ -34,13 +34,13 @@ function invite($db){
                 $key = "$key".$key_array[$index];
          }   
 
-         $id_db = $db->query("SELECT id FROM USER WHERE name=' " . $safe_name . "';");
+         $id_db = $db->query("SELECT id FROM USER WHERE name='" . $safe_name . "';");
          $id_ar = $id_db->fetchArray(SQLITE3_NUM);
          $id = $id_ar[0];
 
         /*Generates the new user and decrease the invites*/
 
-         $invite = $invite - 1;
+         $invite = $invite-1;
 
          if($db->exec("
          	BEGIN TRANSACTION;
diff --git a/www/functions/func_rewrite.php b/www/functions/func_rewrite.php
index a58c7f9..d9f694d 100755
--- a/www/functions/func_rewrite.php
+++ b/www/functions/func_rewrite.php
@@ -16,7 +16,7 @@ function rewrite($db){
 		}
 
                 if($_SESSION["login"]){
-                        header("Refresh: 0; /" . $_SESSION['username'] . "/" . $_GET["name"] . "/" . $folder . "");
+                        header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/" . $_SESSION['username'] . "/" . $_GET["name"] . "/" . $folder . "");
                 }
 
 		return false;
diff --git a/www/include.php b/www/include.php
index 94eaba9..aa90993 100755
--- a/www/include.php
+++ b/www/include.php
@@ -1,5 +1,13 @@
 <?php
 
+$scheme="http://";
+
+if(isset($_SERVER["HTTPS"])){
+	if($_SERVER["HTTPS"] == "on"){
+		$scheme="https://";
+	}
+}
+
 require_once("constants.php");
 
 $func_dir = "functions/";
diff --git a/www/index.php b/www/index.php
index ad7eb7d..4b09452 100755
--- a/www/index.php
+++ b/www/index.php
@@ -13,7 +13,7 @@ if(empty($_GET)){
 	if(!$_SESSION["login"]){
 		print_login(constant("EMPTY"));
 	} else {
-		header("Refresh: 0; /" . $_SESSION["username"]);
+		header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/" . $_SESSION["username"]);
 		exit;
 	}
 } else {
@@ -26,13 +26,18 @@ if(empty($_GET)){
 				if($_SERVER['REQUEST_METHOD'] == 'POST'){
 					$var = login($db);
 					if($var == LOGIN_SUCCESSFULL){
-						header("Refresh: 0; /".$_SESSION["username"]);
+						header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/".$_SESSION["username"]);
 						//account($db);
 					} else {
 						print_login($var);
 					}
 				} else {
-					print_login(constant("EMPTY"));
+					if(!$_SESSION["login"]){
+						print_login(constant("EMPTY"));
+					} else {
+						header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/" . $_SESSION["username"]);
+						exit;
+					}
 				}
 				break;
 
@@ -41,7 +46,7 @@ if(empty($_GET)){
 				if($var == LOGOUT_SUCCESSFULL){
 					print_login($var);
 				} else {
-					header("Refresh: 0; /httperror.php?e=500");
+					header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/httperror.php?e=500");
 				}
 				break;
 
@@ -53,7 +58,7 @@ if(empty($_GET)){
 				if($_SERVER['REQUEST_METHOD'] == 'POST'){
 					$var = invite($db);
 					if($var == INVITE_SUCCESSFULL){
-						header("Refresh: 0; /"); //TODO Direct link to the file browser.
+						header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/"); //TODO Direct link to the file browser.
 					} else {
 						print_invite($var);
 					}
@@ -63,6 +68,11 @@ if(empty($_GET)){
 				break;
 
 			case("register"):
+				if($_SESSION["login"]){
+					header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/" . $_SESSION["username"]);
+					exit;
+				}
+
 				if($_SERVER['REQUEST_METHOD'] == 'POST'){
 					$var = register($db);
 					if($var == REGISTER_SUCCESSFULL){
@@ -75,10 +85,24 @@ if(empty($_GET)){
 				}
 				break;
 
-/*			case("download"):	//not implemented yet
-				download();
+			case("download"):	//not implemented yet
+				if(!isset($_GET["hash"])){
+					$download_hash = "";
+				} else {
+					$download_hash = $_GET["hash"];
+				}
+				$var = check_file_hash($db, $_GET["id"], $download_hash);
+				if($var == DOWNLOAD_NOT_FILE){
+					get_404("/", "File id: ".$_GET['id']);
+				} elseif ($var == DOWNLOAD_PRIVATE_FILE){
+					$_GET["e"]="401";
+					include("httperror.php");
+				} elseif($var == DOWNLOAD_FALSE_ID){
+					$_GET["e"]="403";
+					include("httperror.php");
+				}
 				break;
-*/
+
 			case("user"):
 				account($db);
 				break;
diff --git a/www/setup.php b/www/setup.php
index 423e0f1..a841ad4 100755
--- a/www/setup.php
+++ b/www/setup.php
@@ -65,7 +65,7 @@ if($bool){
 		$_SESSION["userid"] = 1;
 
 		echo "Success! You will redirected any moment.";
-		header("Refresh: 2; /admin");
+		header("Refresh: 2; ".$scheme.$_SERVER["HTTP_HOST"]."/admin");
 	} else {
 		echo "Failure! :( <br>";
 		echo "Your password: ".$hash_password;
-- 
cgit v1.2.3