From 17279c264b9fc956f56f09ebad7e8ade96b4985b Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Mon, 26 Dec 2022 16:23:19 +0900
Subject: [PATCH] Add support for short download URLs #1875 #1922
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Originally committed on April 3, 2022
- Thanks to @misol @conory
- getDownloadUrl()에서 기존 메소드 형태 최대한 그대로 유지하는 방향으로 작업
  (단, source_filename 파라미터를 전달하지 않으면 긴주소로 강제됨)
- getDirectFileUrl()의 불필요하게 복잡한 코드 정리
- getFileList()에서 이미지가 아닌 파일도 절대경로를 반환하도록 수정
- procFileDownload, procFileOutput에서 URL에 포함된 파일명을 검증하도록 하여
  동일한 첨부파일에서 파일명 부분만 변형한 링크를 무한 생성할 수 없도록 함
- 짧은주소 미사용시 불필요한 module_srl 파라미터 제거
---
 common/framework/Router.php                   |  6 ++++
 .../js/plugins/jquery.fileupload/js/main.js   |  8 ++---
 modules/file/file.admin.model.php             |  2 +-
 modules/file/file.controller.php              | 24 ++++++++++----
 modules/file/file.model.php                   | 32 +++++++++++--------
 modules/file/tpl/iframe.html                  |  2 +-
 6 files changed, 49 insertions(+), 25 deletions(-)

diff --git a/common/framework/Router.php b/common/framework/Router.php
index 8bc39d8ae..b4b0ec1ec 100644
--- a/common/framework/Router.php
+++ b/common/framework/Router.php
@@ -46,6 +46,12 @@ class Router
 			'vars' => ['mid' => 'any', 'act' => 'word'],
 			'priority' => 20,
 		),
+		'files/download/link/$file_srl/$sid/$filename' => array(
+			'regexp' => '#^files/download/link/(?<file_srl>[0-9]+)/(?<sid>[0-9a-f]+)/(?<filename>[^/]+)$#',
+			'vars' => ['file_srl' => 'int', 'sid' => 'hex', 'filename' => 'any'],
+			'extra_vars' => ['act' => 'procFileDownload'],
+			'priority' => 0,
+		),
 		'files/download/$file_srl/$file_key/$filename' => array(
 			'regexp' => '#^files/download/(?<file_srl>[0-9]+)/(?<file_key>[a-zA-Z0-9_-]+)/(?<filename>[^/]+)$#',
 			'vars' => ['file_srl' => 'int', 'file_key' => 'any', 'filename' => 'any'],
diff --git a/common/js/plugins/jquery.fileupload/js/main.js b/common/js/plugins/jquery.fileupload/js/main.js
index 00f3af360..46ab96650 100644
--- a/common/js/plugins/jquery.fileupload/js/main.js
+++ b/common/js/plugins/jquery.fileupload/js/main.js
@@ -183,8 +183,8 @@
 						else if(/\.(mp4|webm|ogv)$/i.test(result.source_filename) && opt.autoinsertTypes.video) {
 							if(result.original_type === 'image/gif') {
 								temp_code += '<video src="' + result.download_url + '" autoplay loop muted playsinline data-file-srl="' + result.file_srl + '" />';
-							} else if (result.download_url.match(/\bprocFileDownload\b/)) {
-								if (result.download_url.match(/^\?/)) {
+							} else if (result.download_url.match(/\b(?:procFileDownload\b|files\/download\/)/)) {
+								if (!result.download_url.match(/^\//)) {
 									result.download_url = XE.URI(default_url).pathname() + result.download_url;
 								}
 								temp_code += '<video src="' + result.download_url + '" controls preload="none" data-file-srl="' + result.file_srl + '" />';
@@ -364,8 +364,8 @@
 				else if(/\.(mp4|webm|ogv)$/i.test(result.source_filename)) {
 					if(result.original_type === 'image/gif') {
 						temp_code += '<video src="' + result.download_url + '" autoplay loop muted playsinline data-file-srl="' + result.file_srl + '" />';
-					} else if (result.download_url.match(/\bprocFileDownload\b/)) {
-						if (result.download_url.match(/^\?/)) {
+					} else if (result.download_url.match(/\b(?:procFileDownload\b|files\/download\/)/)) {
+						if (!result.download_url.match(/^\//)) {
 							result.download_url = XE.URI(default_url).pathname() + result.download_url;
 						}
 						temp_code += '<video src="' + result.download_url + '" controls preload="none" data-file-srl="' + result.file_srl + '" />';
diff --git a/modules/file/file.admin.model.php b/modules/file/file.admin.model.php
index a52d4a798..3706d9c28 100644
--- a/modules/file/file.admin.model.php
+++ b/modules/file/file.admin.model.php
@@ -114,7 +114,7 @@ class fileAdminModel extends file
 			{
 				$file->isCarted = false;
 			}
-			$file->download_url = FileModel::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl);
+			$file->download_url = FileModel::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl, $file->source_filename);
 			$output->data[$key] = $file;
 		}
 
diff --git a/modules/file/file.controller.php b/modules/file/file.controller.php
index c35172ff8..1c7af1be2 100644
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@@ -158,7 +158,7 @@ class fileController extends file
 		}
 		else
 		{
-			$this->add('download_url', FileModel::getDownloadUrl($output->get('file_srl'), $output->get('sid'), $module_srl));
+			$this->add('download_url', FileModel::getDownloadUrl($output->get('file_srl'), $output->get('sid'), $module_srl, $output->get('source_filename')));
 		}
 	}
 
@@ -288,18 +288,24 @@ class fileController extends file
 
 		$file_srl = Context::get('file_srl');
 		$sid = Context::get('sid');
-		$logged_info = Context::get('logged_info');
+		$filename_arg = Context::get('filename');
+
 		// Get file information from the DB
 		$file_obj = FileModel::getFile($file_srl);
+		$filename = preg_replace('/\.\.+/', '.', $file_obj->source_filename);
+
 		// If the requested file information is incorrect, an error that file cannot be found appears
 		if($file_obj->file_srl != $file_srl || $file_obj->sid !== $sid)
 		{
 			throw new Rhymix\Framework\Exceptions\TargetNotFound('msg_file_not_found');
 		}
-		// File name
-		$filename = $file_obj->source_filename;
-		$file_module_config = FileModel::getFileModuleConfig($file_obj->module_srl);
+		if ($filename_arg !== null && $filename_arg !== $filename)
+		{
+			throw new Rhymix\Framework\Exceptions\TargetNotFound('msg_file_not_found');
+		}
+		
 		// Not allow the file outlink
+		$file_module_config = FileModel::getFileModuleConfig($file_obj->module_srl);
 		if($file_module_config->allow_outlink == 'N' && $_SERVER["HTTP_REFERER"])
 		{
 			// Handles extension to allow outlink
@@ -430,6 +436,12 @@ class fileController extends file
 			throw new Rhymix\Framework\Exceptions\InvalidRequest;
 		}
 		
+		// Check filename if given
+		if ($filename_arg !== null && $filename_arg !== $filename)
+		{
+			throw new Rhymix\Framework\Exceptions\TargetNotFound('msg_file_not_found');
+		}
+		
 		// Check if file exists
 		$uploaded_filename = $file_obj->uploaded_filename;
 		if(!file_exists($uploaded_filename))
@@ -452,7 +464,7 @@ class fileController extends file
 		}
 
 		// Encode the filename.
-		if ($filename_arg && $filename_arg === $filename)
+		if ($filename_arg !== null && $filename_arg === $filename)
 		{
 			$filename_param = '';
 		}
diff --git a/modules/file/file.model.php b/modules/file/file.model.php
index 5b4fac78b..e6be2882b 100644
--- a/modules/file/file.model.php
+++ b/modules/file/file.model.php
@@ -86,11 +86,14 @@ class fileModel extends file
 				$obj->original_type = $file_info->original_type;
 				$obj->direct_download = $file_info->direct_download;
 				$obj->cover_image = ($file_info->cover_image === 'Y') ? true : false;
-				$obj->download_url = $file_info->download_url;
 				if($obj->direct_download === 'Y' && self::isDownloadable($file_info))
 				{
 					$obj->download_url = self::getDirectFileUrl($file_info->uploaded_filename);
 				}
+				else
+				{
+					$obj->download_url = self::getDirectFileUrl($file_info->download_url);
+				}
 				
 				$file_list[] = $obj;
 				$attached_size += $file_info->file_size;
@@ -248,12 +251,20 @@ class fileModel extends file
 	 *
 	 * @param int $file_srl The sequence of file to get url
 	 * @param string $sid
-	 * @param int $module_srl
+	 * @param int $module_srl (unused)
+	 * @param string $source_filename
 	 * @return string Returns a url
 	 */
-	public static function getDownloadUrl($file_srl, $sid, $module_srl = 0)
+	public static function getDownloadUrl($file_srl, $sid, $module_srl = 0, $source_filename = null)
 	{
-		return sprintf('?module=%s&amp;act=%s&amp;file_srl=%s&amp;sid=%s&amp;module_srl=%d', 'file', 'procFileDownload', $file_srl, $sid, $module_srl);
+		if ($source_filename && config('use_rewrite') && self::getFileConfig()->download_short_url === 'Y')
+		{
+			return sprintf('files/download/link/%d/%s/%s', $file_srl, $sid, rawurlencode(preg_replace('/\.\.+/', '.', $source_filename)));
+		}
+		else
+		{
+			return sprintf('index.php?module=%s&amp;act=%s&amp;file_srl=%s&amp;sid=%s', 'file', 'procFileDownload', $file_srl, $sid);
+		}
 	}
 	
 	/**
@@ -264,12 +275,7 @@ class fileModel extends file
 	 */
 	public static function getDirectFileUrl($path)
 	{
-		if(dirname($_SERVER['SCRIPT_NAME']) == '/' || dirname($_SERVER['SCRIPT_NAME']) == '\\')
-		{
-			return '/' . substr($path, 2);
-		}
-
-		return dirname($_SERVER['SCRIPT_NAME']) . '/' . substr($path, 2);
+		return \RX_BASEURL . ltrim($path, './');
 	}
 	
 	/**
@@ -342,7 +348,7 @@ class fileModel extends file
 		if(count($output->data) == 1)
 		{
 			$file = $output->data[0];
-			$file->download_url = self::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl);
+			$file->download_url = self::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl, $file->source_filename);
 
 			return $file;
 		}
@@ -355,7 +361,7 @@ class fileModel extends file
 				foreach($output->data as $key=>$value)
 				{
 					$file = $value;
-					$file->download_url = self::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl);
+					$file->download_url = self::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl, $file->source_filename);
 					$fileList[] = $file;
 				}
 			}
@@ -387,7 +393,7 @@ class fileModel extends file
 		foreach ($output->data as $file)
 		{
 			$file->source_filename = escape($file->source_filename, false);
-			$file->download_url = self::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl);
+			$file->download_url = self::getDownloadUrl($file->file_srl, $file->sid, $file->module_srl, $file->source_filename);
 			$fileList[] = $file;
 		}
 		return $fileList;
diff --git a/modules/file/tpl/iframe.html b/modules/file/tpl/iframe.html
index 7f82a9080..4a31000a8 100644
--- a/modules/file/tpl/iframe.html
+++ b/modules/file/tpl/iframe.html
@@ -13,7 +13,7 @@
 	<!--@if($uploaded_fileinfo->get('direct_download') === 'Y')-->
 	uploaded_fileinfo.download_url = '{FileModel::getDirectFileUrl($uploaded_fileinfo->get("uploaded_filename"))}';
 	<!--@else-->
-	uploaded_fileinfo.download_url = '{FileModel::getDownloadUrl($uploaded_fileinfo->get("file_srl"), $uploaded_fileinfo->get("sid"), $module_srl)}';
+	uploaded_fileinfo.download_url = '{FileModel::getDownloadUrl($uploaded_fileinfo->get("file_srl"), $uploaded_fileinfo->get("sid"), $module_srl, $uploaded_fileinfo->get("source_filename"))}';
 	<!--@end-->
 	uploaded_fileinfo.thumbnail_filename = '{$uploaded_fileinfo->get("thumbnail_filename")}';
 	uploaded_fileinfo.original_type = '{$uploaded_fileinfo->get("original_type")}';