Matthieu
79 lines
3.1 KiB
PHP
79 lines
3.1 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Controller\Share;
|
|
|
|
use App\Service\Share\Exception\InvalidPathException;
|
|
use App\Service\Share\Exception\ShareConnectionException;
|
|
use App\Service\Share\Exception\ShareNotConfiguredException;
|
|
use App\Service\Share\FileSource;
|
|
use App\Service\Share\SharePathResolver;
|
|
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
|
use Symfony\Component\HttpFoundation\HeaderUtils;
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
use Symfony\Component\HttpFoundation\StreamedResponse;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
use Symfony\Component\Mime\MimeTypes;
|
|
use Symfony\Component\Routing\Attribute\Route;
|
|
use Symfony\Component\Security\Http\Attribute\IsGranted;
|
|
|
|
use function is_resource;
|
|
|
|
class ShareDownloadController extends AbstractController
|
|
{
|
|
public function __construct(
|
|
private readonly FileSource $fileSource,
|
|
private readonly SharePathResolver $pathResolver,
|
|
) {}
|
|
|
|
#[Route('/api/share/download', name: 'share_download', methods: ['GET'], priority: 1)]
|
|
#[IsGranted('IS_AUTHENTICATED_FULLY')]
|
|
public function __invoke(Request $request): Response
|
|
{
|
|
$rawPath = (string) $request->query->get('path', '');
|
|
|
|
try {
|
|
$path = $this->pathResolver->normalizeRelative($rawPath);
|
|
} catch (InvalidPathException) {
|
|
return new Response('Invalid path.', 400);
|
|
}
|
|
|
|
if ('' === $path) {
|
|
throw new NotFoundHttpException('No file requested.');
|
|
}
|
|
|
|
try {
|
|
$stream = $this->fileSource->read($path);
|
|
} catch (ShareNotConfiguredException) {
|
|
return new Response('Share not configured.', 409);
|
|
} catch (ShareConnectionException) {
|
|
throw new NotFoundHttpException('File not found.');
|
|
}
|
|
|
|
$name = basename($path);
|
|
$extension = pathinfo($name, PATHINFO_EXTENSION);
|
|
$mime = MimeTypes::getDefault()->getMimeTypes($extension)[0] ?? 'application/octet-stream';
|
|
|
|
// Anti-XSS : seuls des types non exécutables sont servis inline (images hors SVG, PDF).
|
|
// Tout le reste (HTML, SVG, octet-stream, etc.) est forcé en attachment, même si inline est demandé.
|
|
$inlineSafe = ('image/svg+xml' !== $mime && str_starts_with($mime, 'image/')) || 'application/pdf' === $mime;
|
|
$wantInline = 'attachment' !== $request->query->get('disposition');
|
|
$disposition = ($inlineSafe && $wantInline) ? HeaderUtils::DISPOSITION_INLINE : HeaderUtils::DISPOSITION_ATTACHMENT;
|
|
|
|
$response = new StreamedResponse(function () use ($stream): void {
|
|
if (is_resource($stream)) {
|
|
fpassthru($stream);
|
|
fclose($stream);
|
|
}
|
|
});
|
|
$response->headers->set('Content-Type', $mime);
|
|
$response->headers->set('Content-Disposition', HeaderUtils::makeDisposition($disposition, $name));
|
|
// Empêche le navigateur de "deviner" un type exécutable à partir du contenu.
|
|
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
|
|
|
return $response;
|
|
}
|
|
}
|