EventSource.php 2.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2020-2024 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  6. * SPDX-License-Identifier: AGPL-3.0-only
  7. */
  8. namespace OC;
  9. use OCP\IEventSource;
  10. use OCP\IRequest;
  11. class EventSource implements IEventSource {
  12. private bool $fallback = false;
  13. private int $fallBackId = 0;
  14. private bool $started = false;
  15. public function __construct(
  16. private IRequest $request,
  17. ) {
  18. }
  19. protected function init(): void {
  20. if ($this->started) {
  21. return;
  22. }
  23. $this->started = true;
  24. // prevent php output buffering, caching and nginx buffering
  25. \OC_Util::obEnd();
  26. header('Cache-Control: no-cache');
  27. header('X-Accel-Buffering: no');
  28. $this->fallback = isset($_GET['fallback']) and $_GET['fallback'] == 'true';
  29. if ($this->fallback) {
  30. $this->fallBackId = (int)$_GET['fallback_id'];
  31. /**
  32. * FIXME: The default content-security-policy of ownCloud forbids inline
  33. * JavaScript for security reasons. IE starting on Windows 10 will
  34. * however also obey the CSP which will break the event source fallback.
  35. *
  36. * As a workaround thus we set a custom policy which allows the execution
  37. * of inline JavaScript.
  38. *
  39. * @link https://github.com/owncloud/core/issues/14286
  40. */
  41. header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'");
  42. header('Content-Type: text/html');
  43. echo str_repeat('<span></span>' . PHP_EOL, 10); //dummy data to keep IE happy
  44. } else {
  45. header('Content-Type: text/event-stream');
  46. }
  47. if (!$this->request->passesStrictCookieCheck()) {
  48. header('Location: ' . \OC::$WEBROOT);
  49. exit();
  50. }
  51. if (!$this->request->passesCSRFCheck()) {
  52. $this->send('error', 'Possible CSRF attack. Connection will be closed.');
  53. $this->close();
  54. exit();
  55. }
  56. flush();
  57. }
  58. /**
  59. * send a message to the client
  60. *
  61. * @param string $type
  62. * @param mixed $data
  63. *
  64. * @throws \BadMethodCallException
  65. * if only one parameter is given, a typeless message will be send with that parameter as data
  66. * @suppress PhanDeprecatedFunction
  67. */
  68. public function send($type, $data = null) {
  69. if ($data and !preg_match('/^[A-Za-z0-9_]+$/', $type)) {
  70. throw new \BadMethodCallException('Type needs to be alphanumeric (' . $type . ')');
  71. }
  72. $this->init();
  73. if (is_null($data)) {
  74. $data = $type;
  75. $type = null;
  76. }
  77. if ($this->fallback) {
  78. $response = '<script type="text/javascript">window.parent.OC.EventSource.fallBackCallBack('
  79. . $this->fallBackId . ',"' . ($type ?? '') . '",' . json_encode($data, JSON_HEX_TAG) . ')</script>' . PHP_EOL;
  80. echo $response;
  81. } else {
  82. if ($type) {
  83. echo 'event: ' . $type . PHP_EOL;
  84. }
  85. echo 'data: ' . json_encode($data, JSON_HEX_TAG) . PHP_EOL;
  86. }
  87. echo PHP_EOL;
  88. flush();
  89. }
  90. /**
  91. * close the connection of the event source
  92. */
  93. public function close() {
  94. $this->send('__internal__', 'close'); //server side closing can be an issue, let the client do it
  95. }
  96. }