download.php 1.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. // Check if we are a user
  8. OC_Util::checkLoggedIn();
  9. \OC::$server->getSession()->close();
  10. $files = isset($_GET['files']) ? (string)$_GET['files'] : '';
  11. $dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
  12. $files_list = json_decode($files);
  13. // in case we get only a single file
  14. if (!is_array($files_list)) {
  15. $files_list = [$files];
  16. }
  17. /**
  18. * @psalm-taint-escape cookie
  19. */
  20. function cleanCookieInput(string $value): string {
  21. if (strlen($value) > 32) {
  22. return '';
  23. }
  24. if (preg_match('!^[a-zA-Z0-9]+$!', $_GET['downloadStartSecret']) !== 1) {
  25. return '';
  26. }
  27. return $value;
  28. }
  29. /**
  30. * this sets a cookie to be able to recognize the start of the download
  31. * the content must not be longer than 32 characters and must only contain
  32. * alphanumeric characters
  33. */
  34. if (isset($_GET['downloadStartSecret'])) {
  35. $value = cleanCookieInput($_GET['downloadStartSecret']);
  36. if ($value !== '') {
  37. setcookie('ocDownloadStarted', $value, time() + 20, '/');
  38. }
  39. }
  40. $server_params = [ 'head' => \OC::$server->getRequest()->getMethod() === 'HEAD' ];
  41. /**
  42. * Http range requests support
  43. */
  44. if (isset($_SERVER['HTTP_RANGE'])) {
  45. $server_params['range'] = \OC::$server->getRequest()->getHeader('Range');
  46. }
  47. OC_Files::get($dir, $files_list, $server_params);