X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/c3f7b39a0f3daa64a2d838190ae8efaedea4633c..refs/pull/3416/head:/app/Http/Controllers/Controller.php diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php index 2c4c2df1e..c00ac938b 100644 --- a/app/Http/Controllers/Controller.php +++ b/app/Http/Controllers/Controller.php @@ -2,16 +2,17 @@ namespace BookStack\Http\Controllers; +use BookStack\Exceptions\NotifyException; use BookStack\Facades\Activity; use BookStack\Interfaces\Loggable; use BookStack\Model; use BookStack\Util\WebSafeMimeSniffer; use Illuminate\Foundation\Bus\DispatchesJobs; use Illuminate\Foundation\Validation\ValidatesRequests; -use Illuminate\Http\Exceptions\HttpResponseException; use Illuminate\Http\JsonResponse; use Illuminate\Http\Response; use Illuminate\Routing\Controller as BaseController; +use Symfony\Component\HttpFoundation\StreamedResponse; abstract class Controller extends BaseController { @@ -53,14 +54,9 @@ abstract class Controller extends BaseController */ protected function showPermissionError() { - if (request()->wantsJson()) { - $response = response()->json(['error' => trans('errors.permissionJson')], 403); - } else { - $response = redirect('/'); - $this->showErrorNotification(trans('errors.permission')); - } + $message = request()->wantsJson() ? trans('errors.permissionJson') : trans('errors.permission'); - throw new HttpResponseException($response); + throw new NotifyException($message, '/', 403); } /** @@ -120,7 +116,28 @@ abstract class Controller extends BaseController { return response()->make($content, 200, [ 'Content-Type' => 'application/octet-stream', - 'Content-Disposition' => 'attachment; filename="' . $fileName . '"', + 'Content-Disposition' => 'attachment; filename="' . str_replace('"', '', $fileName) . '"', + 'X-Content-Type-Options' => 'nosniff', + ]); + } + + /** + * Create a response that forces a download, from a given stream of content. + */ + protected function streamedDownloadResponse($stream, string $fileName): StreamedResponse + { + return response()->stream(function () use ($stream) { + // End & flush the output buffer otherwise we still seem to use memory. + // Ignore in testing since output buffers are used to gather a response. + if (!app()->runningUnitTests()) { + ob_end_clean(); + } + + fpassthru($stream); + fclose($stream); + }, 200, [ + 'Content-Type' => 'application/octet-stream', + 'Content-Disposition' => 'attachment; filename="' . str_replace('"', '', $fileName) . '"', 'X-Content-Type-Options' => 'nosniff', ]); } @@ -135,7 +152,28 @@ abstract class Controller extends BaseController return response()->make($content, 200, [ 'Content-Type' => $mime, - 'Content-Disposition' => 'inline; filename="' . $fileName . '"', + 'Content-Disposition' => 'inline; filename="' . str_replace('"', '', $fileName) . '"', + 'X-Content-Type-Options' => 'nosniff', + ]); + } + + /** + * Create a file download response that provides the file with a content-type + * correct for the file, in a way so the browser can show the content in browser, + * for a given content stream. + */ + protected function streamedInlineDownloadResponse($stream, string $fileName): StreamedResponse + { + $sniffContent = fread($stream, 1000); + $mime = (new WebSafeMimeSniffer())->sniff($sniffContent); + + return response()->stream(function () use ($sniffContent, $stream) { + echo $sniffContent; + fpassthru($stream); + fclose($stream); + }, 200, [ + 'Content-Type' => $mime, + 'Content-Disposition' => 'inline; filename="' . str_replace('"', '', $fileName) . '"', 'X-Content-Type-Options' => 'nosniff', ]); }