[Summary view] [Print] [Text view]

   1  <?php
   2  /**
   3   * Multisite upload handler.
   4   *
   5   * @since 3.0.0
   6   *
   7   * @package WordPress
   8   * @subpackage Multisite
   9   */
  10  
  11  define( 'MS_FILES_REQUEST', true );
  12  define( 'SHORTINIT', true );
  13  
  14  /** Load WordPress Bootstrap */
  15  require_once dirname( __DIR__ ) . '/wp-load.php';
  16  
  17  if ( ! is_multisite() ) {
  18      die( 'Multisite support not enabled' );
  19  }
  20  
  21  ms_file_constants();
  22  
  23  if ( '1' === $current_blog->archived || '1' === $current_blog->spam || '1' === $current_blog->deleted ) {
  24      status_header( 404 );
  25      die( '404 &#8212; File not found.' );
  26  }
  27  
  28  if ( ! defined( 'BLOGUPLOADDIR' ) ) {
  29      status_header( 500 );
  30      die( '500 &#8212; Directory not configured.' );
  31  }
  32  
  33  $file = rtrim( BLOGUPLOADDIR, '/' ) . '/' . str_replace( '..', '', $_GET['file'] );
  34  if ( ! is_file( $file ) ) {
  35      status_header( 404 );
  36      die( '404 &#8212; File not found.' );
  37  }
  38  
  39  $mime = wp_check_filetype( $file );
  40  if ( false === $mime['type'] && function_exists( 'mime_content_type' ) ) {
  41      $mime['type'] = mime_content_type( $file );
  42  }
  43  
  44  if ( $mime['type'] ) {
  45      $mimetype = $mime['type'];
  46  } else {
  47      $mimetype = 'image/' . substr( $file, strrpos( $file, '.' ) + 1 );
  48  }
  49  
  50  header( 'Content-Type: ' . $mimetype ); // Always send this.
  51  if ( ! str_contains( $_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS' ) ) {
  52      header( 'Content-Length: ' . filesize( $file ) );
  53  }
  54  
  55  // Optional support for X-Sendfile and X-Accel-Redirect.
  56  if ( WPMU_ACCEL_REDIRECT ) {
  57      header( 'X-Accel-Redirect: ' . str_replace( WP_CONTENT_DIR, '', $file ) );
  58      exit;
  59  } elseif ( WPMU_SENDFILE ) {
  60      header( 'X-Sendfile: ' . $file );
  61      exit;
  62  }
  63  
  64  $wp_last_modified = gmdate( 'D, d M Y H:i:s', filemtime( $file ) );
  65  $wp_etag          = '"' . md5( $wp_last_modified ) . '"';
  66  
  67  header( "Last-Modified: $wp_last_modified GMT" );
  68  header( 'ETag: ' . $wp_etag );
  69  header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' );
  70  
  71  // Support for conditional GET - use stripslashes() to avoid formatting.php dependency.
  72  if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ) {
  73      $client_etag = stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] );
  74  } else {
  75      $client_etag = '';
  76  }
  77  
  78  if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) {
  79      $client_last_modified = trim( $_SERVER['HTTP_IF_MODIFIED_SINCE'] );
  80  } else {
  81      $client_last_modified = '';
  82  }
  83  
  84  // If string is empty, return 0. If not, attempt to parse into a timestamp.
  85  $client_modified_timestamp = $client_last_modified ? strtotime( $client_last_modified ) : 0;
  86  
  87  // Make a timestamp for our most recent modification.
  88  $wp_modified_timestamp = strtotime( $wp_last_modified );
  89  
  90  if ( ( $client_last_modified && $client_etag )
  91      ? ( ( $client_modified_timestamp >= $wp_modified_timestamp ) && ( $client_etag === $wp_etag ) )
  92      : ( ( $client_modified_timestamp >= $wp_modified_timestamp ) || ( $client_etag === $wp_etag ) )
  93  ) {
  94      status_header( 304 );
  95      exit;
  96  }
  97  
  98  // If we made it this far, just serve the file.
  99  readfile( $file );
 100  flush();