[Doc Repo] Ensure file exists in DB before serving (Redmine #12220) (aces#2742)

* [Doc Repo] Ensure file exists in DB before serving

* Output file in downloadable format

Author: johnsaigle

modules/document_repository/ajax/GetFile.php

@@ -11,7 +11,6 @@
  *  @author   Dave MacFarlane <driusan@bic.mni.mcgill.ca>
  *  @license  Loris license
  *  @link     https://github.com/aces/Loris-Trunk
- *
  */
 
 $user =& User::singleton();
@@ -35,27 +34,33 @@
 // Checks that config settings are set
 $config =& NDB_Config::singleton();
 
-$File = $_GET['File'];
+$file = $_GET['File'];
+
+// Ensure file exists in the document_repository table before serving
+$db     =& Database::singleton();
+$record = $db->pselectOne(
+    "SELECT record_id FROM document_repository WHERE "
+    . "Data_dir=:dd",
+    array('dd' => $file)
+);
 
-// Make sure that the user isn't trying to break out of the $path by
-// using a relative filename.
-// No need to check for '/' since all downloads are relative to $basePath
-if (strpos("..", $File) !== false) {
+if (empty($record)) {
     error_log("ERROR: Invalid filename");
     header("HTTP/1.1 400 Bad Request");
     exit(4);
-}
-
+} 
 
-$FullPath = __DIR__ . "/../user_uploads/$File";
+$path = __DIR__ . "/../user_uploads/$file";
 
-if (!file_exists($FullPath)) {
-    error_log("ERROR: File $FullPath does not exist");
+if (!file_exists($path)) {
+    error_log("ERROR: File $path does not exist");
     header("HTTP/1.1 404 Not Found");
     exit(5);
 }
 
-$fp = fopen($FullPath, 'r');
-fpassthru($fp);
-fclose($fp);
-?>
+// Output file in downloadable format
+header('Content-Description: File Transfer');
+header('Content-Type: application/force-download');
+header("Content-Transfer-Encoding: Binary");
+header("Content-disposition: attachment; filename=\"" . basename($path) . "\"");
+readfile($path);