1: <?php
  2: //////////////////////////////////////////////////////////////
  3: //   phpThumb() by James Heinrich <info@silisoftware.com>   //
  4: //        available at http://phpthumb.sourceforge.net      //
  5: //         and/or https://github.com/JamesHeinrich/phpThumb //
  6: //////////////////////////////////////////////////////////////
  7: ///                                                         //
  8: // See: phpthumb.changelog.txt for recent changes           //
  9: // See: phpthumb.readme.txt for usage instructions          //
 10: //                                                         ///
 11: //////////////////////////////////////////////////////////////
 12: 
 13: error_reporting(E_ALL);
 14: ini_set('display_errors', '1');
 15: ini_set('magic_quotes_runtime', '0');
 16: if (ini_get('magic_quotes_runtime')) {
 17:     die('"magic_quotes_runtime" is set in php.ini, cannot run phpThumb with this enabled');
 18: }
 19: // Set a default timezone if web server has not done already in php.ini
 20: if (!ini_get('date.timezone') && function_exists('date_default_timezone_set')) { // PHP >= 5.1.0
 21:     date_default_timezone_set('UTC');
 22: }
 23: $starttime = array_sum(explode(' ', microtime())); // could be called as microtime(true) for PHP 5.0.0+
 24: 
 25: // this script relies on the superglobal arrays, fake it here for old PHP versions
 26: if (PHP_VERSION < '4.1.0') {
 27:     $_SERVER = $HTTP_SERVER_VARS;
 28:     $_GET    = $HTTP_GET_VARS;
 29: }
 30: 
 31: function SendSaveAsFileHeaderIfNeeded() {
 32:     if (headers_sent()) {
 33:         return false;
 34:     }
 35:     global $phpThumb;
 36:     $downloadfilename = phpthumb_functions::SanitizeFilename(!empty($_GET['sia']) ? $_GET['sia'] : (!empty($_GET['down']) ? $_GET['down'] : 'phpThumb_generated_thumbnail.'.(!empty($_GET['f']) ? $_GET['f'] : 'jpg')));
 37:     if (!empty($downloadfilename)) {
 38:         $phpThumb->DebugMessage('SendSaveAsFileHeaderIfNeeded() sending header: Content-Disposition: '.(!empty($_GET['down']) ? 'attachment' : 'inline').'; filename="'.$downloadfilename.'"', __FILE__, __LINE__);
 39:         header('Content-Disposition: '.(!empty($_GET['down']) ? 'attachment' : 'inline').'; filename="'.$downloadfilename.'"');
 40:     }
 41:     return true;
 42: }
 43: 
 44: function RedirectToCachedFile() {
 45:     global $phpThumb;
 46: 
 47:     $nice_cachefile = str_replace(DIRECTORY_SEPARATOR, '/', $phpThumb->cache_filename);
 48:     $nice_docroot   = str_replace(DIRECTORY_SEPARATOR, '/', rtrim($phpThumb->config_document_root, '/\\'));
 49: 
 50:     $parsed_url = phpthumb_functions::ParseURLbetter(@$_SERVER['HTTP_REFERER']);
 51: 
 52:     $nModified  = filemtime($phpThumb->cache_filename);
 53: 
 54:     if ($phpThumb->config_nooffsitelink_enabled && !empty($_SERVER['HTTP_REFERER']) && !in_array(@$parsed_url['host'], $phpThumb->config_nooffsitelink_valid_domains)) {
 55: 
 56:         $phpThumb->DebugMessage('Would have used cached (image/'.$phpThumb->thumbnailFormat.') file "'.$phpThumb->cache_filename.'" (Last-Modified: '.gmdate('D, d M Y H:i:s', $nModified).' GMT), but skipping because $_SERVER[HTTP_REFERER] ('.@$_SERVER['HTTP_REFERER'].') is not in $phpThumb->config_nooffsitelink_valid_domains ('.implode(';', $phpThumb->config_nooffsitelink_valid_domains).')', __FILE__, __LINE__);
 57: 
 58:     } elseif ($phpThumb->phpThumbDebug) {
 59: 
 60:         $phpThumb->DebugTimingMessage('skipped using cached image', __FILE__, __LINE__);
 61:         $phpThumb->DebugMessage('Would have used cached file, but skipping due to phpThumbDebug', __FILE__, __LINE__);
 62:         $phpThumb->DebugMessage('* Would have sent headers (1): Last-Modified: '.gmdate('D, d M Y H:i:s', $nModified).' GMT', __FILE__, __LINE__);
 63:         if ($getimagesize = @getimagesize($phpThumb->cache_filename)) {
 64:             $phpThumb->DebugMessage('* Would have sent headers (2): Content-Type: '.phpthumb_functions::ImageTypeToMIMEtype($getimagesize[2]), __FILE__, __LINE__);
 65:         }
 66:         if (preg_match('#^'.preg_quote($nice_docroot).'(.*)$#', $nice_cachefile, $matches)) {
 67:             $phpThumb->DebugMessage('* Would have sent headers (3): Location: '.dirname($matches[1]).'/'.urlencode(basename($matches[1])), __FILE__, __LINE__);
 68:         } else {
 69:             $phpThumb->DebugMessage('* Would have sent data: readfile('.$phpThumb->cache_filename.')', __FILE__, __LINE__);
 70:         }
 71: 
 72:     } else {
 73: 
 74:         if (headers_sent()) {
 75:             $phpThumb->ErrorImage('Headers already sent ('.basename(__FILE__).' line '.__LINE__.')');
 76:             exit;
 77:         }
 78:         SendSaveAsFileHeaderIfNeeded();
 79: 
 80:         header('Pragma: private');
 81:         header('Cache-Control: max-age='.$phpThumb->getParameter('config_cache_maxage'));
 82:         header('Expires: '.date(DATE_RFC1123,  time() + $phpThumb->getParameter('config_cache_maxage')));
 83:         if (!empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) && ($nModified == strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE'])) && !empty($_SERVER['SERVER_PROTOCOL'])) {
 84:             header('Last-Modified: '.gmdate('D, d M Y H:i:s', $nModified).' GMT');
 85:             header($_SERVER['SERVER_PROTOCOL'].' 304 Not Modified');
 86:             exit;
 87:         }
 88:         header('Last-Modified: '.gmdate('D, d M Y H:i:s', $nModified).' GMT');
 89:         header('ETag: "'.md5_file($phpThumb->cache_filename).'"');
 90:         if ($getimagesize = @getimagesize($phpThumb->cache_filename)) {
 91:             header('Content-Type: '.phpthumb_functions::ImageTypeToMIMEtype($getimagesize[2]));
 92:         } elseif (preg_match('#\\.ico$#i', $phpThumb->cache_filename)) {
 93:             header('Content-Type: image/x-icon');
 94:         }
 95:         header('Content-Length: '.filesize($phpThumb->cache_filename));
 96:         if (empty($phpThumb->config_cache_force_passthru) && preg_match('#^'.preg_quote($nice_docroot).'(.*)$#', $nice_cachefile, $matches)) {
 97:             header('Location: '.dirname($matches[1]).'/'.urlencode(basename($matches[1])));
 98:         } else {
 99:             @readfile($phpThumb->cache_filename);
100:         }
101:         exit;
102: 
103:     }
104:     return true;
105: }
106: 
107: 
108: 
109: // instantiate a new phpThumb() object
110: ob_start();
111: if (!include_once(dirname(__FILE__).'/phpthumb.class.php')) {
112:     ob_end_flush();
113:     die('failed to include_once("'.realpath(dirname(__FILE__).'/phpthumb.class.php').'")');
114: }
115: ob_end_clean();
116: $phpThumb = new phpThumb();
117: $phpThumb->DebugTimingMessage('phpThumb.php start', __FILE__, __LINE__, $starttime);
118: $phpThumb->setParameter('config_error_die_on_error', true);
119: 
120: if (!phpthumb_functions::FunctionIsDisabled('set_time_limit')) {
121:     set_time_limit(60);  // shouldn't take nearly this long in most cases, but with many filters and/or a slow server...
122: }
123: 
124: // phpThumbDebug[0] used to be here, but may reveal too much
125: // info when high_security_mode should be enabled (not set yet)
126: 
127: if (file_exists(dirname(__FILE__).'/phpThumb.config.php')) {
128:     ob_start();
129:     if (include_once(dirname(__FILE__).'/phpThumb.config.php')) {
130:         // great
131:     } else {
132:         ob_end_flush();
133:         $phpThumb->config_disable_debug = false; // otherwise error message won't print
134:         $phpThumb->ErrorImage('failed to include_once('.dirname(__FILE__).'/phpThumb.config.php) - realpath="'.realpath(dirname(__FILE__).'/phpThumb.config.php').'"');
135:     }
136:     ob_end_clean();
137: } elseif (file_exists(dirname(__FILE__).'/phpThumb.config.php.default')) {
138:     $phpThumb->config_disable_debug = false; // otherwise error message won't print
139:     $phpThumb->ErrorImage('Please rename "phpThumb.config.php.default" to "phpThumb.config.php"');
140: } else {
141:     $phpThumb->config_disable_debug = false; // otherwise error message won't print
142:     $phpThumb->ErrorImage('failed to include_once('.dirname(__FILE__).'/phpThumb.config.php) - realpath="'.realpath(dirname(__FILE__).'/phpThumb.config.php').'"');
143: }
144: 
145: if (!empty($PHPTHUMB_CONFIG)) {
146:     foreach ($PHPTHUMB_CONFIG as $key => $value) {
147:         $keyname = 'config_'.$key;
148:         $phpThumb->setParameter($keyname, $value);
149:         if (!preg_match('#(password|mysql)#i', $key)) {
150:             $phpThumb->DebugMessage('setParameter('.$keyname.', '.$phpThumb->phpThumbDebugVarDump($value).')', __FILE__, __LINE__);
151:         }
152:     }
153:     if (!$phpThumb->config_disable_debug) {
154:         // if debug mode is enabled, force phpThumbDebug output, do not allow normal thumbnails to be generated
155:         $_GET['phpThumbDebug'] = (!empty($_GET['phpThumbDebug']) ? max(1, intval($_GET['phpThumbDebug'])) : 9);
156:         $phpThumb->setParameter('phpThumbDebug', $_GET['phpThumbDebug']);
157:     }
158: } else {
159:     $phpThumb->DebugMessage('$PHPTHUMB_CONFIG is empty', __FILE__, __LINE__);
160: }
161: 
162: if (empty($phpThumb->config_disable_pathinfo_parsing) && (empty($_GET) || isset($_GET['phpThumbDebug'])) && !empty($_SERVER['PATH_INFO'])) {
163:     $_SERVER['PHP_SELF'] = str_replace($_SERVER['PATH_INFO'], '', @$_SERVER['PHP_SELF']);
164: 
165:     $args = explode(';', substr($_SERVER['PATH_INFO'], 1));
166:     $phpThumb->DebugMessage('PATH_INFO.$args set to ('.implode(')(', $args).')', __FILE__, __LINE__);
167:     if (!empty($args)) {
168:         $_GET['src'] = @$args[count($args) - 1];
169:         $phpThumb->DebugMessage('PATH_INFO."src" = "'.$_GET['src'].'"', __FILE__, __LINE__);
170:         if (preg_match('#^new\=([a-z0-9]+)#i', $_GET['src'], $matches)) {
171:             unset($_GET['src']);
172:             $_GET['new'] = $matches[1];
173:         }
174:     }
175:     if (preg_match('#^([0-9]*)x?([0-9]*)$#i', @$args[count($args) - 2], $matches)) {
176:         $_GET['w'] = $matches[1];
177:         $_GET['h'] = $matches[2];
178:         $phpThumb->DebugMessage('PATH_INFO."w"x"h" set to "'.$_GET['w'].'"x"'.$_GET['h'].'"', __FILE__, __LINE__);
179:     }
180:     for ($i = 0; $i < count($args) - 2; $i++) {
181:         @list($key, $value) = explode('=', @$args[$i]);
182:         if (substr($key, -2) == '[]') {
183:             $array_key_name = substr($key, 0, -2);
184:             $_GET[$array_key_name][] = $value;
185:             $phpThumb->DebugMessage('PATH_INFO."'.$array_key_name.'[]" = "'.$value.'"', __FILE__, __LINE__);
186:         } else {
187:             $_GET[$key] = $value;
188:             $phpThumb->DebugMessage('PATH_INFO."'.$key.'" = "'.$value.'"', __FILE__, __LINE__);
189:         }
190:     }
191: }
192: 
193: if (!empty($phpThumb->config_high_security_enabled)) {
194:     if (empty($_GET['hash'])) {
195:         $phpThumb->config_disable_debug = false; // otherwise error message won't print
196:         $phpThumb->ErrorImage('ERROR: missing hash');
197:     } elseif (phpthumb_functions::PasswordStrength($phpThumb->config_high_security_password) < 20) {
198:         $phpThumb->config_disable_debug = false; // otherwise error message won't print
199:         $phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough');
200:     } elseif ($_GET['hash'] != md5(str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) {
201:         header('HTTP/1.0 403 Forbidden');
202:         sleep(10); // deliberate delay to discourage password-guessing
203:         $phpThumb->ErrorImage('ERROR: invalid hash');
204:     }
205: }
206: 
207: ////////////////////////////////////////////////////////////////
208: // Debug output, to try and help me diagnose problems
209: $phpThumb->DebugTimingMessage('phpThumbDebug[0]', __FILE__, __LINE__);
210: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '0')) {
211:     $phpThumb->phpThumbDebug();
212: }
213: ////////////////////////////////////////////////////////////////
214: 
215: // returned the fixed string if the evil "magic_quotes_gpc" setting is on
216: if (get_magic_quotes_gpc()) {
217:     // deprecated: 'err', 'file', 'goto',
218:     $RequestVarsToStripSlashes = array('src', 'wmf', 'down');
219:     foreach ($RequestVarsToStripSlashes as $key) {
220:         if (isset($_GET[$key])) {
221:             if (is_string($_GET[$key])) {
222:                 $_GET[$key] = stripslashes($_GET[$key]);
223:             } else {
224:                 unset($_GET[$key]);
225:             }
226:         }
227:     }
228: }
229: 
230: if (empty($_SERVER['PATH_INFO']) && empty($_SERVER['QUERY_STRING'])) {
231:     $phpThumb->config_disable_debug = false; // otherwise error message won't print
232:     $phpThumb->ErrorImage('ERROR: no parameters specified');
233: }
234: 
235: if (!empty($_GET['src']) && isset($_GET['md5s']) && empty($_GET['md5s'])) {
236:     $md5s = '';
237:     if (preg_match('#^([a-z0-9]+)://#i', $_GET['src'], $protocol_matches)) {
238:         if (preg_match('#^(f|ht)tps?://#i', $_GET['src'])) {
239:             if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) {
240:                 $md5s = md5($rawImageData);
241:             }
242:         } else {
243:             $phpThumb->ErrorImage('only FTP and HTTP/HTTPS protocols are allowed, "'.$protocol_matches[1].'" is not');
244:         }
245:     } else {
246:         $SourceFilename = $phpThumb->ResolveFilenameToAbsolute($_GET['src']);
247:         if (is_readable($SourceFilename)) {
248:             $md5s = phpthumb_functions::md5_file_safe($SourceFilename);
249:         } else {
250:             $phpThumb->ErrorImage('ERROR: "'.$SourceFilename.'" cannot be read');
251:         }
252:     }
253:     if (!empty($_SERVER['HTTP_REFERER'])) {
254:         $phpThumb->ErrorImage('&md5s='.$md5s);
255:     } else {
256:         die('&md5s='.$md5s);
257:     }
258: }
259: 
260: if (!empty($_GET['src']) && empty($phpThumb->config_allow_local_http_src) && preg_match('#^http://'.@$_SERVER['HTTP_HOST'].'(.+)#i', $_GET['src'], $matches)) {
261:     $phpThumb->ErrorImage('It is MUCH better to specify the "src" parameter as "'.$matches[1].'" instead of "'.$matches[0].'".'."\n\n".'If you really must do it this way, enable "allow_local_http_src" in phpThumb.config.php');
262: }
263: 
264: ////////////////////////////////////////////////////////////////
265: // Debug output, to try and help me diagnose problems
266: $phpThumb->DebugTimingMessage('phpThumbDebug[1]', __FILE__, __LINE__);
267: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '1')) {
268:     $phpThumb->phpThumbDebug();
269: }
270: ////////////////////////////////////////////////////////////////
271: 
272: $parsed_url_referer = phpthumb_functions::ParseURLbetter(@$_SERVER['HTTP_REFERER']);
273: if ($phpThumb->config_nooffsitelink_require_refer && !in_array(@$parsed_url_referer['host'], $phpThumb->config_nohotlink_valid_domains)) {
274:     $phpThumb->ErrorImage('config_nooffsitelink_require_refer enabled and '.(@$parsed_url_referer['host'] ? '"'.$parsed_url_referer['host'].'" is not an allowed referer' : 'no HTTP_REFERER exists'));
275: }
276: $parsed_url_src = phpthumb_functions::ParseURLbetter(@$_GET['src']);
277: if ($phpThumb->config_nohotlink_enabled && $phpThumb->config_nohotlink_erase_image && preg_match('#^(f|ht)tps?://#i', @$_GET['src']) && !in_array(@$parsed_url_src['host'], $phpThumb->config_nohotlink_valid_domains)) {
278:     $phpThumb->ErrorImage($phpThumb->config_nohotlink_text_message);
279: }
280: 
281: if ($phpThumb->config_mysql_query) {
282:     if ($phpThumb->config_mysql_extension == 'mysqli') {
283: 
284:         $found_missing_function = false;
285:         foreach (array('mysqli_connect') as $required_mysqli_function) {
286:             if (!function_exists($required_mysqli_function)) {
287:                 $found_missing_function = $required_mysqli_function;
288:                 break;
289:             }
290:         }
291:         if ($found_missing_function) {
292:             $phpThumb->ErrorImage('SQL function unavailable: '.$found_missing_function);
293:         } else {
294:             $mysqli = new mysqli($phpThumb->config_mysql_hostname, $phpThumb->config_mysql_username, $phpThumb->config_mysql_password, $phpThumb->config_mysql_database);
295:             if ($mysqli->connect_error) {
296:                 $phpThumb->ErrorImage('MySQLi connect error ('.$mysqli->connect_errno.') '.$mysqli->connect_error);
297:             } else {
298:                 if ($result = $mysqli->query($phpThumb->config_mysql_query)) {
299:                     if ($row = $result->fetch_array()) {
300: 
301:                         $result->free();
302:                         $mysqli->close();
303:                         $phpThumb->setSourceData($row[0]);
304:                         unset($row);
305: 
306:                     } else {
307:                         $result->free();
308:                         $mysqli->close();
309:                         $phpThumb->ErrorImage('no matching data in database.');
310:                     }
311:                 } else {
312:                     $mysqli->close();
313:                     $phpThumb->ErrorImage('Error in MySQL query: "'.$mysqli->error.'"');
314:                 }
315:             }
316:             unset($_GET['id']);
317:         }
318: 
319:     } elseif ($phpThumb->config_mysql_extension == 'mysql') {
320: 
321:         $found_missing_function = false;
322:         //foreach (array('mysql_connect', 'mysql_select_db', 'mysql_query', 'mysql_fetch_array', 'mysql_free_result', 'mysql_close', 'mysql_error') as $required_mysql_function) {
323:         foreach (array('mysql_connect') as $required_mysql_function) {
324:             if (!function_exists($required_mysql_function)) {
325:                 $found_missing_function = $required_mysql_function;
326:                 break;
327:             }
328:         }
329:         if ($found_missing_function) {
330:             $phpThumb->ErrorImage('SQL function unavailable: '.$found_missing_function);
331:         } else {
332:             if ($cid = @mysql_connect($phpThumb->config_mysql_hostname, $phpThumb->config_mysql_username, $phpThumb->config_mysql_password)) {
333:                 if (@mysql_select_db($phpThumb->config_mysql_database, $cid)) {
334:                     if ($result = @mysql_query($phpThumb->config_mysql_query, $cid)) {
335:                         if ($row = @mysql_fetch_array($result)) {
336: 
337:                             mysql_free_result($result);
338:                             mysql_close($cid);
339:                             $phpThumb->setSourceData($row[0]);
340:                             unset($row);
341: 
342:                         } else {
343:                             mysql_free_result($result);
344:                             mysql_close($cid);
345:                             $phpThumb->ErrorImage('no matching data in database.');
346:                         }
347:                     } else {
348:                         mysql_close($cid);
349:                         $phpThumb->ErrorImage('Error in MySQL query: "'.mysql_error($cid).'"');
350:                     }
351:                 } else {
352:                     mysql_close($cid);
353:                     $phpThumb->ErrorImage('cannot select MySQL database: "'.mysql_error($cid).'"');
354:                 }
355:             } else {
356:                 $phpThumb->ErrorImage('cannot connect to MySQL server');
357:             }
358:             unset($_GET['id']);
359:         }
360: 
361:     } else {
362:         $phpThumb->ErrorImage('config_mysql_extension not supported');
363:     }
364: }
365: 
366: ////////////////////////////////////////////////////////////////
367: // Debug output, to try and help me diagnose problems
368: $phpThumb->DebugTimingMessage('phpThumbDebug[2]', __FILE__, __LINE__);
369: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '2')) {
370:     $phpThumb->phpThumbDebug();
371: }
372: ////////////////////////////////////////////////////////////////
373: 
374: $PHPTHUMB_DEFAULTS_DISABLEGETPARAMS = (bool) ($phpThumb->config_cache_default_only_suffix && (strpos($phpThumb->config_cache_default_only_suffix, '*') !== false));
375: 
376: // deprecated: 'err', 'file', 'goto',
377: $allowedGETparameters = array('src', 'new', 'w', 'h', 'wp', 'hp', 'wl', 'hl', 'ws', 'hs', 'f', 'q', 'sx', 'sy', 'sw', 'sh', 'zc', 'bc', 'bg', 'bgt', 'fltr', 'xto', 'ra', 'ar', 'aoe', 'far', 'iar', 'maxb', 'down', 'phpThumbDebug', 'hash', 'md5s', 'sfn', 'dpi', 'sia', 'nocache');
378: foreach ($_GET as $key => $value) {
379:     if (!empty($PHPTHUMB_DEFAULTS_DISABLEGETPARAMS) && ($key != 'src')) {
380:         // disabled, do not set parameter
381:         $phpThumb->DebugMessage('ignoring $_GET['.$key.'] because of $PHPTHUMB_DEFAULTS_DISABLEGETPARAMS', __FILE__, __LINE__);
382:     } elseif (in_array($key, $allowedGETparameters)) {
383:         $phpThumb->DebugMessage('setParameter('.$key.', '.$phpThumb->phpThumbDebugVarDump($value).')', __FILE__, __LINE__);
384:         $phpThumb->setParameter($key, $value);
385:     } else {
386:         $phpThumb->ErrorImage('Forbidden parameter: '.$key);
387:     }
388: }
389: 
390: if (!empty($PHPTHUMB_DEFAULTS) && is_array($PHPTHUMB_DEFAULTS)) {
391:     $phpThumb->DebugMessage('setting $PHPTHUMB_DEFAULTS['.implode(';', array_keys($PHPTHUMB_DEFAULTS)).']', __FILE__, __LINE__);
392:     foreach ($PHPTHUMB_DEFAULTS as $key => $value) {
393:         if (!$PHPTHUMB_DEFAULTS_GETSTRINGOVERRIDE || !isset($_GET[$key])) { // set parameter to default value if config is set to allow _GET to override default, OR if no value is passed via _GET for this parameter
394:             //$_GET[$key] = $value;
395:             //$phpThumb->DebugMessage('PHPTHUMB_DEFAULTS assigning ('.(is_array($value) ? print_r($value, true) : $value).') to $_GET['.$key.']', __FILE__, __LINE__);
396:             $phpThumb->setParameter($key, $value);
397:             $phpThumb->DebugMessage('setParameter('.$key.', '.$phpThumb->phpThumbDebugVarDump($value).') from $PHPTHUMB_DEFAULTS', __FILE__, __LINE__);
398:         }
399:     }
400: }
401: 
402: ////////////////////////////////////////////////////////////////
403: // Debug output, to try and help me diagnose problems
404: $phpThumb->DebugTimingMessage('phpThumbDebug[3]', __FILE__, __LINE__);
405: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '3')) {
406:     $phpThumb->phpThumbDebug();
407: }
408: ////////////////////////////////////////////////////////////////
409: 
410: //if (!@$_GET['phpThumbDebug'] && !is_file($phpThumb->sourceFilename) && !phpthumb_functions::gd_version()) {
411: //  if (!headers_sent()) {
412: //      // base64-encoded error image in GIF format
413: //      $ERROR_NOGD = 'R0lGODlhIAAgALMAAAAAABQUFCQkJDY2NkZGRldXV2ZmZnJycoaGhpSUlKWlpbe3t8XFxdXV1eTk5P7+/iwAAAAAIAAgAAAE/vDJSau9WILtTAACUinDNijZtAHfCojS4W5H+qxD8xibIDE9h0OwWaRWDIljJSkUJYsN4bihMB8th3IToAKs1VtYM75cyV8sZ8vygtOE5yMKmGbO4jRdICQCjHdlZzwzNW4qZSQmKDaNjhUMBX4BBAlmMywFSRWEmAI6b5gAlhNxokGhooAIK5o/pi9vEw4Lfj4OLTAUpj6IabMtCwlSFw0DCKBoFqwAB04AjI54PyZ+yY3TD0ss2YcVmN/gvpcu4TOyFivWqYJlbAHPpOntvxNAACcmGHjZzAZqzSzcq5fNjxFmAFw9iFRunD1epU6tsIPmFCAJnWYE0FURk7wJDA0MTKpEzoWAAskiAAA7';
414: //      header('Content-Type: image/gif');
415: //      echo base64_decode($ERROR_NOGD);
416: //  } else {
417: //      echo '*** ERROR: No PHP-GD support available ***';
418: //  }
419: //  exit;
420: //}
421: 
422: // check to see if file can be output from source with no processing or caching
423: $CanPassThroughDirectly = true;
424: if ($phpThumb->rawImageData) {
425:     // data from SQL, should be fine
426: } elseif (preg_match('#^http\://[^\\?&]+\\.(jpe?g|gif|png)$#i', $phpThumb->src)) {
427:     // assume is ok to passthru if no other parameters specified
428: } elseif (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {
429:     $phpThumb->DebugMessage('$CanPassThroughDirectly=false because preg_match("#^(f|ht)tp\://#i", '.$phpThumb->src.')', __FILE__, __LINE__);
430:     $CanPassThroughDirectly = false;
431: } elseif (!@is_readable($phpThumb->sourceFilename)) {
432:     $phpThumb->DebugMessage('$CanPassThroughDirectly=false because !@is_readable('.$phpThumb->sourceFilename.')', __FILE__, __LINE__);
433:     $CanPassThroughDirectly = false;
434: } elseif (!@is_file($phpThumb->sourceFilename)) {
435:     $phpThumb->DebugMessage('$CanPassThroughDirectly=false because !@is_file('.$phpThumb->sourceFilename.')', __FILE__, __LINE__);
436:     $CanPassThroughDirectly = false;
437: }
438: foreach ($_GET as $key => $value) {
439:     switch ($key) {
440:         case 'src':
441:             // allowed
442:             break;
443: 
444:         case 'w':
445:         case 'h':
446:             // might be OK if exactly matches original
447:             if (preg_match('#^http\://[^\\?&]+\\.(jpe?g|gif|png)$#i', $phpThumb->src)) {
448:                 // assume it is not ok for direct-passthru of remote image
449:                 $CanPassThroughDirectly = false;
450:             }
451:             break;
452: 
453:         case 'phpThumbDebug':
454:             // handled in direct-passthru code
455:             break;
456: 
457:         default:
458:             // all other parameters will cause some processing,
459:             // therefore cannot pass through original image unmodified
460:             $CanPassThroughDirectly = false;
461:             $UnAllowedGET[] = $key;
462:             break;
463:     }
464: }
465: if (!empty($UnAllowedGET)) {
466:     $phpThumb->DebugMessage('$CanPassThroughDirectly=false because $_GET['.implode(';', array_unique($UnAllowedGET)).'] are set', __FILE__, __LINE__);
467: }
468: 
469: ////////////////////////////////////////////////////////////////
470: // Debug output, to try and help me diagnose problems
471: $phpThumb->DebugTimingMessage('phpThumbDebug[4]', __FILE__, __LINE__);
472: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '4')) {
473:     $phpThumb->phpThumbDebug();
474: }
475: ////////////////////////////////////////////////////////////////
476: 
477: $phpThumb->DebugMessage('$CanPassThroughDirectly="'.intval($CanPassThroughDirectly).'" && $phpThumb->src="'.$phpThumb->src.'"', __FILE__, __LINE__);
478: while ($CanPassThroughDirectly && $phpThumb->src) {
479:     // no parameters set, passthru
480: 
481:     if (preg_match('#^http\://[^\\?&]+\.(jpe?g|gif|png)$#i', $phpThumb->src)) {
482:         $phpThumb->DebugMessage('Passing HTTP source through directly as Location: redirect ('.$phpThumb->src.')', __FILE__, __LINE__);
483:         header('Location: '.$phpThumb->src);
484:         exit;
485:     }
486: 
487:     $SourceFilename = $phpThumb->ResolveFilenameToAbsolute($phpThumb->src);
488: 
489:     // security and size checks
490:     if ($phpThumb->getimagesizeinfo = @getimagesize($SourceFilename)) {
491:         $phpThumb->DebugMessage('Direct passthru getimagesize() returned [w='.$phpThumb->getimagesizeinfo[0].';h='.$phpThumb->getimagesizeinfo[1].';t='.$phpThumb->getimagesizeinfo[2].']', __FILE__, __LINE__);
492: 
493:         if (!@$_GET['w'] && !@$_GET['wp'] && !@$_GET['wl'] && !@$_GET['ws'] && !@$_GET['h'] && !@$_GET['hp'] && !@$_GET['hl'] && !@$_GET['hs']) {
494:             // no resizing needed
495:             $phpThumb->DebugMessage('Passing "'.$SourceFilename.'" through directly, no resizing required ("'.$phpThumb->getimagesizeinfo[0].'"x"'.$phpThumb->getimagesizeinfo[1].'")', __FILE__, __LINE__);
496:         } elseif (($phpThumb->getimagesizeinfo[0] <= @$_GET['w']) && ($phpThumb->getimagesizeinfo[1] <= @$_GET['h']) && ((@$_GET['w'] == $phpThumb->getimagesizeinfo[0]) || (@$_GET['h'] == $phpThumb->getimagesizeinfo[1]))) {
497:             // image fits into 'w'x'h' box, and at least one dimension matches exactly, therefore no resizing needed
498:             $phpThumb->DebugMessage('Passing "'.$SourceFilename.'" through directly, no resizing required ("'.$phpThumb->getimagesizeinfo[0].'"x"'.$phpThumb->getimagesizeinfo[1].'" fits inside "'.@$_GET['w'].'"x"'.@$_GET['h'].'")', __FILE__, __LINE__);
499:         } else {
500:             $phpThumb->DebugMessage('Not passing "'.$SourceFilename.'" through directly because resizing required (from "'.$phpThumb->getimagesizeinfo[0].'"x"'.$phpThumb->getimagesizeinfo[1].'" to "'.@$_GET['w'].'"x"'.@$_GET['h'].'")', __FILE__, __LINE__);
501:             break;
502:         }
503:         switch ($phpThumb->getimagesizeinfo[2]) {
504:             case 1: // GIF
505:             case 2: // JPG
506:             case 3: // PNG
507:                 // great, let it through
508:                 break;
509:             default:
510:                 // browser probably can't handle format, remangle it to JPEG/PNG/GIF
511:                 $phpThumb->DebugMessage('Not passing "'.$SourceFilename.'" through directly because $phpThumb->getimagesizeinfo[2] = "'.$phpThumb->getimagesizeinfo[2].'"', __FILE__, __LINE__);
512:                 break 2;
513:         }
514: 
515:         $ImageCreateFunctions = array(1=>'imagecreatefromgif', 2=>'imagecreatefromjpeg', 3=>'imagecreatefrompng');
516:         $theImageCreateFunction = @$ImageCreateFunctions[$phpThumb->getimagesizeinfo[2]];
517:         $dummyImage = false;
518:         if ($phpThumb->config_disable_onlycreateable_passthru || (function_exists($theImageCreateFunction) && ($dummyImage = @$theImageCreateFunction($SourceFilename)))) {
519: 
520:             // great
521:             if (@is_resource($dummyImage)) {
522:                 unset($dummyImage);
523:             }
524: 
525:             if (headers_sent()) {
526:                 $phpThumb->ErrorImage('Headers already sent ('.basename(__FILE__).' line '.__LINE__.')');
527:                 exit;
528:             }
529:             if (!empty($_GET['phpThumbDebug'])) {
530:                 $phpThumb->DebugTimingMessage('skipped direct $SourceFilename passthru', __FILE__, __LINE__);
531:                 $phpThumb->DebugMessage('Would have passed "'.$SourceFilename.'" through directly, but skipping due to phpThumbDebug', __FILE__, __LINE__);
532:                 break;
533:             }
534: 
535:             SendSaveAsFileHeaderIfNeeded();
536:             header('Last-Modified: '.gmdate('D, d M Y H:i:s', @filemtime($SourceFilename)).' GMT');
537:             if ($contentType = phpthumb_functions::ImageTypeToMIMEtype(@$phpThumb->getimagesizeinfo[2])) {
538:                 header('Content-Type: '.$contentType);
539:             }
540:             @readfile($SourceFilename);
541:             exit;
542: 
543:         } else {
544:             $phpThumb->DebugMessage('Not passing "'.$SourceFilename.'" through directly because ($phpThumb->config_disable_onlycreateable_passthru = "'.$phpThumb->config_disable_onlycreateable_passthru.'") and '.$theImageCreateFunction.'() failed', __FILE__, __LINE__);
545:             break;
546:         }
547: 
548:     } else {
549:         $phpThumb->DebugMessage('Not passing "'.$SourceFilename.'" through directly because getimagesize() failed', __FILE__, __LINE__);
550:         break;
551:     }
552:     break;
553: }
554: 
555: ////////////////////////////////////////////////////////////////
556: // Debug output, to try and help me diagnose problems
557: $phpThumb->DebugTimingMessage('phpThumbDebug[5]', __FILE__, __LINE__);
558: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '5')) {
559:     $phpThumb->phpThumbDebug();
560: }
561: ////////////////////////////////////////////////////////////////
562: 
563: // check to see if file already exists in cache, and output it with no processing if it does
564: $phpThumb->SetCacheFilename();
565: if (@is_readable($phpThumb->cache_filename)) {
566:     RedirectToCachedFile();
567: } else {
568:     $phpThumb->DebugMessage('Cached file "'.$phpThumb->cache_filename.'" does not exist, processing as normal', __FILE__, __LINE__);
569: }
570: 
571: ////////////////////////////////////////////////////////////////
572: // Debug output, to try and help me diagnose problems
573: $phpThumb->DebugTimingMessage('phpThumbDebug[6]', __FILE__, __LINE__);
574: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '6')) {
575:     $phpThumb->phpThumbDebug();
576: }
577: ////////////////////////////////////////////////////////////////
578: 
579: if ($phpThumb->rawImageData) {
580: 
581:     // great
582: 
583: } elseif (!empty($_GET['new'])) {
584: 
585:     // generate a blank image resource of the specified size/background color/opacity
586:     if (($phpThumb->w <= 0) || ($phpThumb->h <= 0)) {
587:         $phpThumb->ErrorImage('"w" and "h" parameters required for "new"');
588:     }
589:     @list($bghexcolor, $opacity) = explode('|', $_GET['new']);
590:     if (!phpthumb_functions::IsHexColor($bghexcolor)) {
591:         $phpThumb->ErrorImage('BGcolor parameter for "new" is not valid');
592:     }
593:     $opacity = (strlen($opacity) ? $opacity : 100);
594:     if ($phpThumb->gdimg_source = phpthumb_functions::ImageCreateFunction($phpThumb->w, $phpThumb->h)) {
595:         $alpha = (100 - min(100, max(0, $opacity))) * 1.27;
596:         if ($alpha) {
597:             $phpThumb->setParameter('is_alpha', true);
598:             imagealphablending($phpThumb->gdimg_source, false);
599:             imagesavealpha($phpThumb->gdimg_source, true);
600:         }
601:         $new_background_color = phpthumb_functions::ImageHexColorAllocate($phpThumb->gdimg_source, $bghexcolor, false, $alpha);
602:         imagefilledrectangle($phpThumb->gdimg_source, 0, 0, $phpThumb->w, $phpThumb->h, $new_background_color);
603:     } else {
604:         $phpThumb->ErrorImage('failed to create "new" image ('.$phpThumb->w.'x'.$phpThumb->h.')');
605:     }
606: 
607: } elseif (!$phpThumb->src) {
608: 
609:     $phpThumb->ErrorImage('Usage: '.$_SERVER['PHP_SELF'].'?src=/path/and/filename.jpg'."\n".'read Usage comments for details');
610: 
611: } elseif (preg_match('#^([a-z0-9]+)://#i', $_GET['src'], $protocol_matches)) {
612: 
613:     if (preg_match('#^(f|ht)tps?://#i', $_GET['src'])) {
614:         $phpThumb->DebugMessage('$phpThumb->src ('.$phpThumb->src.') is remote image, attempting to download', __FILE__, __LINE__);
615:         if ($phpThumb->config_http_user_agent) {
616:             $phpThumb->DebugMessage('Setting "user_agent" to "'.$phpThumb->config_http_user_agent.'"', __FILE__, __LINE__);
617:             ini_set('user_agent', $phpThumb->config_http_user_agent);
618:         }
619:         $cleanedupurl = phpthumb_functions::CleanUpURLencoding($phpThumb->src);
620:         $phpThumb->DebugMessage('CleanUpURLencoding('.$phpThumb->src.') returned "'.$cleanedupurl.'"', __FILE__, __LINE__);
621:         $phpThumb->src = $cleanedupurl;
622:         unset($cleanedupurl);
623:         if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) {
624:             $phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.') succeeded'.($error ? ' with messsages: "'.$error.'"' : ''), __FILE__, __LINE__);
625:             $phpThumb->DebugMessage('Setting source data from URL "'.$phpThumb->src.'"', __FILE__, __LINE__);
626:             $phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));
627:         } else {
628:             $phpThumb->ErrorImage($error);
629:         }
630:     } else {
631:         $phpThumb->ErrorImage('only FTP and HTTP/HTTPS protocols are allowed, "'.$protocol_matches[1].'" is not');
632:     }
633: 
634: }
635: 
636: ////////////////////////////////////////////////////////////////
637: // Debug output, to try and help me diagnose problems
638: $phpThumb->DebugTimingMessage('phpThumbDebug[7]', __FILE__, __LINE__);
639: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '7')) {
640:     $phpThumb->phpThumbDebug();
641: }
642: ////////////////////////////////////////////////////////////////
643: 
644: $phpThumb->GenerateThumbnail();
645: 
646: ////////////////////////////////////////////////////////////////
647: // Debug output, to try and help me diagnose problems
648: $phpThumb->DebugTimingMessage('phpThumbDebug[8]', __FILE__, __LINE__);
649: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '8')) {
650:     $phpThumb->phpThumbDebug();
651: }
652: ////////////////////////////////////////////////////////////////
653: 
654: if (!empty($phpThumb->config_high_security_enabled) && !empty($_GET['nocache'])) {
655: 
656:     // cache disabled, don't write cachefile
657: 
658: } else {
659: 
660:     phpthumb_functions::EnsureDirectoryExists(dirname($phpThumb->cache_filename));
661:     if (is_writable(dirname($phpThumb->cache_filename)) || (file_exists($phpThumb->cache_filename) && is_writable($phpThumb->cache_filename))) {
662: 
663:         $phpThumb->CleanUpCacheDirectory();
664:         if ($phpThumb->RenderToFile($phpThumb->cache_filename) && is_readable($phpThumb->cache_filename)) {
665:             chmod($phpThumb->cache_filename, 0644);
666:             RedirectToCachedFile();
667:         } else {
668:             $phpThumb->DebugMessage('Failed: RenderToFile('.$phpThumb->cache_filename.')', __FILE__, __LINE__);
669:         }
670: 
671:     } else {
672: 
673:         $phpThumb->DebugMessage('Cannot write to $phpThumb->cache_filename ('.$phpThumb->cache_filename.') because that directory ('.dirname($phpThumb->cache_filename).') is not writable', __FILE__, __LINE__);
674: 
675:     }
676: 
677: }
678: 
679: ////////////////////////////////////////////////////////////////
680: // Debug output, to try and help me diagnose problems
681: $phpThumb->DebugTimingMessage('phpThumbDebug[9]', __FILE__, __LINE__);
682: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '9')) {
683:     $phpThumb->phpThumbDebug();
684: }
685: ////////////////////////////////////////////////////////////////
686: 
687: if (!$phpThumb->OutputThumbnail()) {
688:     $phpThumb->ErrorImage('Error in OutputThumbnail():'."\n".$phpThumb->debugmessages[(count($phpThumb->debugmessages) - 1)]);
689: }
690: 
691: ////////////////////////////////////////////////////////////////
692: // Debug output, to try and help me diagnose problems
693: $phpThumb->DebugTimingMessage('phpThumbDebug[10]', __FILE__, __LINE__);
694: if (isset($_GET['phpThumbDebug']) && ($_GET['phpThumbDebug'] == '10')) {
695:     $phpThumb->phpThumbDebug();
696: }
697: ////////////////////////////////////////////////////////////////
698: