1<?php 2 3// phpcs:disable PSR1.Files.SideEffects.FoundWithSymbols 4 5use dokuwiki\plugin\filelist\Path; 6 7if (!defined('DOKU_INC')) define('DOKU_INC', __DIR__ . '/../../../'); 8if (!defined('NOSESSION')) define('NOSESSION', true); // we do not use a session or authentication here (better caching) 9if (!defined('DOKU_DISABLE_GZIP_OUTPUT')) define('DOKU_DISABLE_GZIP_OUTPUT', 1); // we gzip ourself here 10require_once(DOKU_INC . 'inc/init.php'); 11 12global $INPUT; 13 14$syntax = plugin_load('syntax', 'filelist'); 15if (!$syntax) die('plugin disabled?'); 16 17$pathUtil = new Path($syntax->getConf('paths')); 18$path = $INPUT->str('root') . $INPUT->str('file'); 19 20try { 21 $pathInfo = $pathUtil->getPathInfo($path, false); 22 if ($pathUtil::isWikiControlled($pathInfo['path'])) { 23 throw new Exception('Access to wiki files is not allowed'); 24 } 25 26 if (!is_readable($pathInfo['path'])) { 27 header('Content-Type: text/plain'); 28 http_status(404); 29 echo 'Path not readable: ' . $pathInfo['path']; 30 exit; 31 } 32 [$ext, $mime, $download] = mimetype($pathInfo['path'], false); 33 $basename = basename($pathInfo['path']); 34 header('Content-Type: ' . $mime); 35 if ($download) { 36 header('Content-Disposition: attachment; filename="' . $basename . '"'); 37 } 38 http_sendfile($pathInfo['path']); 39 readfile($pathInfo['path']); 40} catch (Exception $e) { 41 header('Content-Type: text/plain'); 42 http_status(403); 43 echo $e->getMessage(); 44 exit; 45} 46