0 && $j > 0 && isset($tmp[$i]) && isset($tmp2[$j]) && $tmp[$i] == $tmp2[$j]) { $i--; $j--; } if (!$res && $i > 0 && file_exists(substr($tmp, 0, ($i + 1))."/main.inc.php")) $res = @include substr($tmp, 0, ($i + 1))."/main.inc.php"; if (!$res && $i > 0 && file_exists(dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php")) $res = @include dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php"; if (!$res && file_exists("../../main.inc.php")) $res = @include "../../main.inc.php"; if (!$res && file_exists("../../../main.inc.php")) $res = @include "../../../main.inc.php"; if (!$res) die("Include of main fails"); require_once __DIR__.'/../class/upload_token.class.php'; // Token validieren $token = (string) ($_REQUEST['token'] ?? ''); $tok = BerichtUploadToken::fetchValid($db, $token); if (!$tok) { http_response_code(403); die('Token ungültig'); } // Dateiname validieren (keine Pfad-Traversal erlauben) $filename = basename((string) ($_REQUEST['file'] ?? '')); if (empty($filename)) { http_response_code(400); die('Dateiname fehlt'); } // Upload-Ordner ermitteln $upload_dir = $tok->getUploadDir(); if (!$upload_dir) { http_response_code(404); die('Ordner nicht gefunden'); } $filepath = $upload_dir . '/' . $filename; // Prüfen ob Datei existiert und im erlaubten Ordner liegt $realpath = realpath($filepath); $realdir = realpath($upload_dir); if (!$realpath || !$realdir || strpos($realpath, $realdir) !== 0) { http_response_code(404); die('Datei nicht gefunden'); } // Datei ausliefern $mime = mime_content_type($realpath); if (!$mime || strpos($mime, 'image') !== 0) { $mime = 'application/octet-stream'; } header('Content-Type: ' . $mime); header('Content-Length: ' . filesize($realpath)); header('Cache-Control: private, max-age=3600'); readfile($realpath); exit;