Issues in download.php (1.11.x) - Issues in 1.11.x - chamilo/chamilo-lms - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2160)

main/social/download.php (1 issue)

Labels

Bug 1

Severity

Major 1

<?php
/* For licensing terms, see /license.txt */

/**
 * This file is responsible for  passing requested file attachments from messages
 * Html files are parsed to fix a few problems with URLs,
 * but this code will hopefully be replaced soon by an Apache URL
 * rewrite mechanism.
 *
 * @package chamilo.messages
 */

use Symfony\Component\HttpFoundation\Request as HttpRequest;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php

session_cache_limiter('public');

require_once __DIR__.'/../inc/global.inc.php';

api_block_anonymous_users();

// IMPORTANT to avoid caching of documents
header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
header('Cache-Control: public');
header('Pragma: no-cache');

$httpRequest = HttpRequest::createFromGlobals();

$messageId = $httpRequest->query->getInt('message_id');
$attachmentId = $httpRequest->query->getInt('attachment_id');

$messageInfo = MessageManager::get_message_by_id($messageId);
$attachmentInfo = MessageManager::getAttachment($attachmentId);

if (empty($messageInfo) || empty($attachmentInfo)) {
    api_not_allowed();
}

// Attachment belongs to the message?
if ($messageInfo['id'] != $attachmentInfo['message_id']) {
    api_not_allowed();
}

// Do not process group items
if (!empty($messageInfo['group_id'])) {
    api_not_allowed();
}

// Only process wall messages
if (!in_array($messageInfo['msg_status'], [MESSAGE_STATUS_WALL, MESSAGE_STATUS_WALL_POST, MESSAGE_STATUS_PROMOTED])) {
    api_not_allowed();
}

$dir = UserManager::getUserPathById($messageInfo['user_sender_id'], 'system');
if (empty($dir)) {
    api_not_allowed();
}

$file = $dir.'message_attachments/'.$attachmentInfo['path'];
$title = api_replace_dangerous_char($attachmentInfo['filename']);

if (Security::check_abs_path($file, $dir.'message_attachments/')) {
    // launch event
    Event::event_download($file);
    $result = DocumentManager::file_send_for_download(
        $file,
        false,
        $title
    );
    if ($result === false) {
        api_not_allowed(true);
    }
}
exit;


1			<?php
2			/* For licensing terms, see /license.txt */
3
4			/**
5			* This file is responsible for passing requested file attachments from messages
6			* Html files are parsed to fix a few problems with URLs,
7			* but this code will hopefully be replaced soon by an Apache URL
8			* rewrite mechanism.
9			*
10			* @package chamilo.messages
11			*/
12
13			use Symfony\Component\HttpFoundation\Request as HttpRequest;
			0 ignored issues – show Bug introduced 2025-08-11 22:08 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `HttpRequest`. Consider defining an alias. Let?s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let?s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
14
15			session_cache_limiter('public');
16
17			require_once __DIR__.'/../inc/global.inc.php';
18
19			api_block_anonymous_users();
20
21			// IMPORTANT to avoid caching of documents
22			header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
23			header('Cache-Control: public');
24			header('Pragma: no-cache');
25
26			$httpRequest = HttpRequest::createFromGlobals();
27
28			$messageId = $httpRequest->query->getInt('message_id');
29			$attachmentId = $httpRequest->query->getInt('attachment_id');
30
31			$messageInfo = MessageManager::get_message_by_id($messageId);
32			$attachmentInfo = MessageManager::getAttachment($attachmentId);
33
34			if (empty($messageInfo) \|\| empty($attachmentInfo)) {
35			api_not_allowed();
36			}
37
38			// Attachment belongs to the message?
39			if ($messageInfo['id'] != $attachmentInfo['message_id']) {
40			api_not_allowed();
41			}
42
43			// Do not process group items
44			if (!empty($messageInfo['group_id'])) {
45			api_not_allowed();
46			}
47
48			// Only process wall messages
49			if (!in_array($messageInfo['msg_status'], [MESSAGE_STATUS_WALL, MESSAGE_STATUS_WALL_POST, MESSAGE_STATUS_PROMOTED])) {
50			api_not_allowed();
51			}
52
53			$dir = UserManager::getUserPathById($messageInfo['user_sender_id'], 'system');
54			if (empty($dir)) {
55			api_not_allowed();
56			}
57
58			$file = $dir.'message_attachments/'.$attachmentInfo['path'];
59			$title = api_replace_dangerous_char($attachmentInfo['filename']);
60
61			if (Security::check_abs_path($file, $dir.'message_attachments/')) {
62			// launch event
63			Event::event_download($file);
64			$result = DocumentManager::file_send_for_download(
65			$file,
66			false,
67			$title
68			);
69			if ($result === false) {
70			api_not_allowed(true);
71			}
72			}
73			exit;
74

chamilo / chamilo-lms

Issues (2160)

main/social/download.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like