handling file download differently to enable permissions
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/6e844a10 Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/6e844a10 Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/6e844a10 Branch: refs/heads/master Commit: 6e844a1071124b4e16c05ee63f7b874077619e46 Parents: f3cb5f5 Author: scnakandala <[email protected]> Authored: Tue Jun 28 12:43:43 2016 -0400 Committer: scnakandala <[email protected]> Committed: Tue Jun 28 12:43:43 2016 -0400 ---------------------------------------------------------------------- app/libraries/ExperimentUtilities.php | 33 +++++++++++------------------- app/routes.php | 25 +++++++++++++++++++++- 2 files changed, 36 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/6e844a10/app/libraries/ExperimentUtilities.php ---------------------------------------------------------------------- diff --git a/app/libraries/ExperimentUtilities.php b/app/libraries/ExperimentUtilities.php index 612d0ea..d9b64b5 100644 --- a/app/libraries/ExperimentUtilities.php +++ b/app/libraries/ExperimentUtilities.php @@ -76,11 +76,8 @@ class ExperimentUtilities if( count( $experimentInputs) > 0 ) { foreach ($experimentInputs as $input) { $matchingAppInput = null; - if ($input->type == DataType::URI) { - $dataRoot = Config::get("pga_config.airavata")["experiment-data-absolute-path"]; - if(!ExperimentUtilities::endsWith($dataRoot, "/")) - $dataRoot = $dataRoot . "/"; + if(strpos($input->value, "airavata-dp") === 0){ $dataProductModel = Airavata::getDataProduct(Session::get('authz-token'), $input->value); $currentInputPath = ""; @@ -90,13 +87,14 @@ class ExperimentUtilities break; } } - $filePath = str_replace($dataRoot, "", parse_url($currentInputPath, PHP_URL_PATH)); + $fileName = basename($currentInputPath); }else{ - $filePath = str_replace($dataRoot, "", parse_url($input->value, PHP_URL_PATH)); + $fileName = basename($input->value); } - echo '<p>' . $input->name . ': <a target="_blank" href="' . URL::to("/") . '/download/?path=' - . $filePath . '">' . basename($filePath) . ' <span class="glyphicon glyphicon-new-window"></span></a></p>'; + echo '<p>' . $input->name . ': <a target="_blank" href="' . URL::to("/") . '/download/?id=' + . $input->value . '">' . $fileName . ' <span class="glyphicon glyphicon-new-window"></span></a></p>'; + } elseif ($input->type == DataType::STRING || $input->type == DataType::INTEGER || $input->type == DataType::FLOAT) { echo '<p>' . $input->name . ': ' . $input->value . '</p>'; @@ -122,7 +120,7 @@ class ExperimentUtilities if ($input->type == DataType::URI) { $dataRoot = Config::get("pga_config.airavata")["experiment-data-absolute-path"]; - if(!ExperimentUtilities::endsWith($dataRoot, "/")) + if(!$dataRoot.endswith("/")) $dataRoot = $dataRoot . "/"; $filePath = str_replace($dataRoot, "", parse_url($input->value, PHP_URL_PATH)); echo '<p>' . $input->name . ': <a target="_blank" href="' . URL::to("/") @@ -145,7 +143,7 @@ class ExperimentUtilities foreach ((array)$outputs as $output) { if ($output->type == DataType::URI || $output->type == DataType::STDOUT || $output->type == DataType::STDERR) { $dataRoot = Config::get("pga_config.airavata")["experiment-data-absolute-path"]; - if(!ExperimentUtilities::endsWith($dataRoot, "/")) + if(!$dataRoot.endswith("/")) $dataRoot = $dataRoot . "/"; $filePath = str_replace($dataRoot, "", parse_url($output->value, PHP_URL_PATH)); echo '<p>' . $output->name . ': <a target="_blank" href="' . URL::to("/") @@ -159,11 +157,6 @@ class ExperimentUtilities } } - private static function endsWith($haystack, $needle) { - // search forward starting from end minus needle length characters - return $needle === "" || (($temp = strlen($haystack) - strlen($needle)) >= 0 && strpos($haystack, $needle, $temp) !== false); - } - /** * Get the experiment with the given ID * @param $expId @@ -734,9 +727,7 @@ class ExperimentUtilities foreach ((array)$outputs as $output) { if ($output->type == DataType::URI || $output->type == DataType::STDOUT || $output->type == DataType::STDERR) { if(!empty($output->value) && filter_var($output->value, FILTER_VALIDATE_URL)){ - $dataRoot = Config::get("pga_config.airavata")["experiment-data-absolute-path"]; - if(!ExperimentUtilities::endsWith($dataRoot, "/")) - $dataRoot = $dataRoot . "/"; + if(strpos($output->value, "airavata-dp") === 0){ $dataProductModel = Airavata::getDataProduct(Session::get('authz-token'), $output->value); $currentOutputPath = ""; @@ -746,12 +737,12 @@ class ExperimentUtilities break; } } - $filePath = str_replace($dataRoot, "", parse_url($currentOutputPath, PHP_URL_PATH)); + $fileName = basename($currentOutputPath); }else{ - $filePath = str_replace($dataRoot, "", parse_url($output->value, PHP_URL_PATH)); + $fileName = basename($output->value); } echo '<p>' . $output->name . ': <a target="_blank" href="' . URL::to("/") - . '/download/?path=' . urlencode($filePath) . '">' . basename($filePath) + . '/download/?id=' . urlencode($output->value) . '">' . $fileName . ' <span class="glyphicon glyphicon-new-window"></span></a></p>'; } http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/6e844a10/app/routes.php ---------------------------------------------------------------------- diff --git a/app/routes.php b/app/routes.php index 41fd139..ba37f40 100644 --- a/app/routes.php +++ b/app/routes.php @@ -99,15 +99,38 @@ Route::post("experiment/browse", "ExperimentController@browseView"); Route::get("download", function(){ - //FIXME check for no ../ parts in the path if(Input::has("path") && (0 == strpos(Input::get("path"), Session::get('username')) || 0 == strpos(Input::get("path"), "/" . Session::get('username')))){ $path = Input::get("path"); + + if (strpos($path, '/../') !== false || strpos($path, '/..') !== false || strpos($path, '../') !== false) + return null; + if(0 === strpos($path, '/')){ $path = substr($path, 1); } $downloadLink = Config::get('pga_config.airavata')['experiment-data-absolute-path'] . '/' . $path; return Response::download( $downloadLink); + }else if(Input::has("id") && (0 == strpos(Input::get("id"), "airavata-dp"))){ + $id = Input::get("id"); + + $dataRoot = Config::get("pga_config.airavata")["experiment-data-absolute-path"]; + if(!$dataRoot.endswith("/")) + $dataRoot = $dataRoot . "/"; + + $dataProductModel = Airavata::getDataProduct(Session::get('authz-token'), $id); + $currentOutputPath = ""; + foreach ($dataProductModel->replicaLocations as $rp) { + if($rp->replicaLocationCategory == ReplicaLocationCategory::GATEWAY_DATA_STORE){ + $currentOutputPath = $rp->filePath; + break; + } + } + + //TODO check permission + $path = str_replace($dataRoot, "", parse_url($currentOutputPath, PHP_URL_PATH)); + $downloadLink = Config::get('pga_config.airavata')['experiment-data-absolute-path'] . '/' . $path; + return Response::download( $downloadLink); } });
