Update xml_cdr.php
Use the permission_exists and is_uuid conditions at the top of the download class method. If false use return to prevent running code without the right permission and a valid uuid.
This commit is contained in:
FusionPBX
GitHub
parent
5f7ef8848e
commit
7fe291dfcf
|
|
@ -1988,59 +1988,66 @@
|
||||||
* download the recordings
|
* download the recordings
|
||||||
*/
|
*/
|
||||||
public function download() {
|
public function download() {
|
||||||
if (permission_exists('xml_cdr_view')) {
|
|
||||||
|
|
||||||
//get call recording from database
|
//check the permission
|
||||||
if (is_uuid($this->recording_uuid)) {
|
if (!permission_exists('xml_cdr_view')) {
|
||||||
$sql = "select record_name, record_path from v_xml_cdr ";
|
//echo "permission denied";
|
||||||
$sql .= "where xml_cdr_uuid = :xml_cdr_uuid ";
|
return;
|
||||||
$parameters['xml_cdr_uuid'] = $this->recording_uuid;
|
}
|
||||||
$row = $this->database->select($sql, $parameters, 'row');
|
|
||||||
if (!empty($row) && is_array($row)) {
|
//check for a valid uuid
|
||||||
$record_name = $row['record_name'];
|
if (!is_uuid($this->recording_uuid)) {
|
||||||
$record_path = $row['record_path'];
|
//echo "invalid uuid";
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
//get call recording from database
|
||||||
|
$sql = "select record_name, record_path from v_xml_cdr ";
|
||||||
|
$sql .= "where xml_cdr_uuid = :xml_cdr_uuid ";
|
||||||
|
$parameters['xml_cdr_uuid'] = $this->recording_uuid;
|
||||||
|
$row = $this->database->select($sql, $parameters, 'row');
|
||||||
|
if (!empty($row) && is_array($row)) {
|
||||||
|
$record_name = $row['record_name'];
|
||||||
|
$record_path = $row['record_path'];
|
||||||
|
}
|
||||||
|
unset ($sql, $parameters, $row);
|
||||||
|
|
||||||
|
//build full path
|
||||||
|
$record_file = $record_path.'/'.$record_name;
|
||||||
|
|
||||||
|
//download the file
|
||||||
|
if ($record_file != '/' && file_exists($record_file)) {
|
||||||
|
ob_clean();
|
||||||
|
$fd = fopen($record_file, "rb");
|
||||||
|
if ($this->binary) {
|
||||||
|
header("Content-Type: application/force-download");
|
||||||
|
header("Content-Type: application/octet-stream");
|
||||||
|
header("Content-Type: application/download");
|
||||||
|
header("Content-Description: File Transfer");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$file_ext = pathinfo($record_name, PATHINFO_EXTENSION);
|
||||||
|
switch ($file_ext) {
|
||||||
|
case "wav" : header("Content-Type: audio/x-wav"); break;
|
||||||
|
case "mp3" : header("Content-Type: audio/mpeg"); break;
|
||||||
|
case "ogg" : header("Content-Type: audio/ogg"); break;
|
||||||
}
|
}
|
||||||
unset ($sql, $parameters, $row);
|
}
|
||||||
}
|
$record_name = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $record_name);
|
||||||
|
header('Content-Disposition: attachment; filename="'.$record_name.'"');
|
||||||
//build full path
|
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
|
||||||
$record_file = $record_path.'/'.$record_name;
|
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
|
||||||
|
if ($this->binary) {
|
||||||
//download the file
|
header("Content-Length: ".filesize($record_file));
|
||||||
if ($record_file != '/' && file_exists($record_file)) {
|
}
|
||||||
ob_clean();
|
ob_clean();
|
||||||
$fd = fopen($record_file, "rb");
|
|
||||||
if ($this->binary) {
|
//content-range
|
||||||
header("Content-Type: application/force-download");
|
if (isset($_SERVER['HTTP_RANGE']) && !$this->binary) {
|
||||||
header("Content-Type: application/octet-stream");
|
$this->range_download($record_file);
|
||||||
header("Content-Type: application/download");
|
|
||||||
header("Content-Description: File Transfer");
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$file_ext = pathinfo($record_name, PATHINFO_EXTENSION);
|
|
||||||
switch ($file_ext) {
|
|
||||||
case "wav" : header("Content-Type: audio/x-wav"); break;
|
|
||||||
case "mp3" : header("Content-Type: audio/mpeg"); break;
|
|
||||||
case "ogg" : header("Content-Type: audio/ogg"); break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
$record_name = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $record_name);
|
|
||||||
header('Content-Disposition: attachment; filename="'.$record_name.'"');
|
|
||||||
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
|
|
||||||
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
|
|
||||||
if ($this->binary) {
|
|
||||||
header("Content-Length: ".filesize($record_file));
|
|
||||||
}
|
|
||||||
ob_clean();
|
|
||||||
|
|
||||||
//content-range
|
|
||||||
if (isset($_SERVER['HTTP_RANGE']) && !$this->binary) {
|
|
||||||
$this->range_download($record_file);
|
|
||||||
}
|
|
||||||
|
|
||||||
fpassthru($fd);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fpassthru($fd);
|
||||||
}
|
}
|
||||||
|
|
||||||
} //end download method
|
} //end download method
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue