PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
0c2276d5ad148eb910b097269d2b930d5e0ff408
xamxam/public/media.php
Pontoporeia 94e9060dc7 WCAG 4.1.2: add WebVTT caption support for <video> elements on tfe.php 
Problem: <video> elements on tfe.php had no <track kind="captions"> element,
violating WCAG 4.1.2 (name, role, value) for video content.

Changes:
- public/tfe.php: collect all text/vtt files from the thesis file list before
  rendering; skip standalone rendering of .vtt entries; for each MP4 emit a
  <track kind="captions" srclang="fr" label="Sous-titres" default> pointing
  to the N-th VTT file (N-th video paired with N-th caption in document order)
- public/media.php: add text/vtt to allowed MIME list; normalise finfo
  text/plain -> text/vtt for .vtt files; add vtt branch to cache/header
  block (Content-Type: text/vtt; charset=utf-8, 1-day cache)
- public/admin/actions/formulaire.php: allow .vtt uploads (text/vtt MIME,
  vtt extension); normalise text/plain finfo result; set file_type='caption'
  for VTT files so they are distinguishable from other thesis files
- public/admin/add.php: extend files field accept attr to include .vtt;
  update hint text to document the VTT sidecar convention

VTT files uploaded under theses/ inherit the same access_type visibility
gate in media.php as all other thesis content (403 for access_type_id=3).
2026-04-06 15:33:08 +02:00

122 lines
4.0 KiB
PHP
Raw Blame History

<?php
/**
* Media file serving controller
*
* Serves uploaded files that are stored outside the webroot (STORAGE_ROOT).
* This is the sole access point for thesis files, covers, and annexes — they
* are never exposed as direct filesystem paths from the web server.
*
* Security:
* - Strict character whitelist on the path parameter (no path traversal)
* - realpath() jail: resolved path must stay inside STORAGE_ROOT
* - MIME type verified against an allow-list before serving
*/
require_once __DIR__ . '/../config/bootstrap.php';
// --- 1. Extract and validate the requested path -------------------------------
$requestedPath = $_GET['path'] ?? '';
// Only allow safe characters: letters, digits, forward slashes, dots, hyphens, underscores.
// This explicitly rejects null bytes, backslashes, and sequences like "../".
if (!preg_match('#^[a-zA-Z0-9/_\-.]+$#', $requestedPath) || $requestedPath === '') {
http_response_code(400);
exit;
}
// --- 2. Resolve full filesystem path and enforce storage jail -----------------
$storageRoot = defined('STORAGE_ROOT') ? STORAGE_ROOT : '/var/www/posterg/storage';
$fullPath = $storageRoot . '/' . $requestedPath;
$realStorage = realpath($storageRoot);
$realFull = realpath($fullPath);
if (
$realFull === false
|| $realStorage === false
|| strpos($realFull, $realStorage . '/') !== 0
) {
http_response_code(404);
exit;
}
if (!is_file($realFull)) {
http_response_code(404);
exit;
}
// --- 2b. Visibility gate: check access_type_id for thesis files ---------------
// Only applies to paths under theses/ (uploaded thesis content).
// Banners and covers are always public (no sensitivity).
if (preg_match('#^theses/#', $requestedPath)) {
require_once __DIR__ . '/../src/Database.php';
try {
$mediaDb = Database::getInstance();
$accessTypeId = $mediaDb->getFileVisibility($requestedPath);
if ($accessTypeId !== null && $accessTypeId === 3) {
// 3 = Interdit — block entirely
http_response_code(403);
exit;
}
// 2 = Interne — allow (no session auth requirement for now; could add later)
} catch (\Throwable $e) {
// On DB error, fail open (don't block legitimate requests)
error_log("media.php visibility check error: " . $e->getMessage());
}
}
// --- 3. Verify MIME type from file content (not extension) --------------------
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mimeType = $finfo->file($realFull);
$allowedMimes = [
'image/jpeg',
'image/png',
'image/gif',
'application/pdf',
'video/mp4',
'application/zip',
'text/vtt', // WebVTT caption sidecar files
];
// finfo may return 'text/plain' for WebVTT files on some systems;
// re-classify by extension so we don't block them.
if ($mimeType === 'text/plain' && strtolower(pathinfo($realFull, PATHINFO_EXTENSION)) === 'vtt') {
$mimeType = 'text/vtt';
}
if (!in_array($mimeType, $allowedMimes, true)) {
http_response_code(403);
exit;
}
// --- 4. Send response headers -------------------------------------------------
header('Content-Type: ' . $mimeType);
header('Content-Length: ' . filesize($realFull));
header('X-Content-Type-Options: nosniff');
$ext = strtolower(pathinfo($realFull, PATHINFO_EXTENSION));
if (in_array($ext, ['jpg', 'jpeg', 'png', 'gif'], true)) {
// Images: cache publicly for 7 days
header('Cache-Control: public, max-age=604800');
} elseif ($ext === 'pdf') {
// PDFs: cache for 1 day, display inline
header('Cache-Control: public, max-age=86400');
header('Content-Disposition: inline');
} elseif ($ext === 'vtt') {
// WebVTT captions: serve as text/vtt, cache 1 day
header('Content-Type: text/vtt; charset=utf-8');
header('Cache-Control: public, max-age=86400');
} else {
// Everything else: no public caching
header('Cache-Control: private, no-store');
}
// --- 5. Stream file -----------------------------------------------------------
readfile($realFull);
Reference in New Issue View Git Blame Copy Permalink