File Content: class-wc-product-download.php <?php /** * Represents a file which can be downloaded. * * @package WooCommerce\Classes * @version 3.0.0 * @since 3.0.0 */ use Automattic\Jetpack\Constants; use Automattic\WooCommerce\Internal\ProductDownloads\ApprovedDirectories\Register as Download_Directories; use Automattic\WooCommerce\Internal\Utilities\URL; defined( 'ABSPATH' ) || exit; /** * Product download class. */ class WC_Product_Download implements ArrayAccess { /** * Data array. * * @since 3.0.0 * @var array */ protected $data = array( 'id' => '', 'name' => '', 'file' => '', 'enabled' => true, ); /** * Returns all data for this object. * * @return array */ public function get_data() { return $this->data; } /** * Get allowed mime types. * * @return array */ public function get_allowed_mime_types() { return apply_filters( 'woocommerce_downloadable_file_allowed_mime_types', get_allowed_mime_types() ); } /** * Get type of file path set. * * @param string $file_path optional. * @return string absolute, relative, or shortcode. */ public function get_type_of_file_path( $file_path = '' ) { $file_path = $file_path ? $file_path : $this->get_file(); $parsed_url = wp_parse_url( $file_path ); if ( $parsed_url && isset( $parsed_url['host'] ) && // Absolute url means that it has a host. ( // Theoretically we could permit any scheme (like ftp as well), but that has not been the case before. So we allow none or http(s). ! isset( $parsed_url['scheme'] ) || in_array( $parsed_url['scheme'], array( 'http', 'https' ), true ) ) ) { return 'absolute'; } elseif ( '[' === substr( $file_path, 0, 1 ) && ']' === substr( $file_path, -1 ) ) { return 'shortcode'; } else { return 'relative'; } } /** * Get file type. * * @return string */ public function get_file_type() { $type = wp_check_filetype( strtok( $this->get_file(), '?' ), $this->get_allowed_mime_types() ); return $type['type']; } /** * Get file extension. * * @return string */ public function get_file_extension() { $parsed_url = wp_parse_url( $this->get_file(), PHP_URL_PATH ); return pathinfo( $parsed_url, PATHINFO_EXTENSION ); } /** * Confirms that the download is of an allowed filetype, that it exists and that it is * contained within an approved directory. Used before adding to a product's list of * downloads. * * @internal * @throws Exception If the download is determined to be invalid. * * @param bool $auto_add_to_approved_directory_list If the download is not already in the approved directory list, automatically add it if possible. */ public function check_is_valid( bool $auto_add_to_approved_directory_list = true ) { $download_file = $this->get_file(); if ( ! $this->data['enabled'] ) { throw new Exception( sprintf( /* translators: %s: Downloadable file. */ __( 'The downloadable file %s cannot be used as it has been disabled.', 'woocommerce' ), '<code>' . basename( $download_file ) . '</code>' ) ); } if ( ! $this->is_allowed_filetype() ) { throw new Exception( sprintf( /* translators: 1: Downloadable file, 2: List of allowed filetypes. */ __( 'The downloadable file %1$s cannot be used as it does not have an allowed file type. Allowed types include: %2$s', 'woocommerce' ), '<code>' . basename( $download_file ) . '</code>', '<code>' . implode( ', ', array_keys( $this->get_allowed_mime_types() ) ) . '</code>' ) ); } // Validate the file exists. if ( ! $this->file_exists() ) { $this->raise_invalid_file_exception( $download_file ); } $this->approved_directory_checks( $auto_add_to_approved_directory_list ); } /** * Check if file is allowed. * * @return boolean */ public function is_allowed_filetype() { $file_path = $this->get_file(); // File types for URL-based files located on the server should get validated. $parsed_file_path = WC_Download_Handler::parse_file_path( $file_path ); $is_file_on_server = ! $parsed_file_path['remote_file']; $file_path_type = $this->get_type_of_file_path( $file_path ); // Shortcodes are allowed, validations should be done by the shortcode provider in this case. if ( 'shortcode' === $file_path_type ) { return true; } // Remote paths are allowed. if ( ! $is_file_on_server && 'relative' !== $file_path_type ) { return true; } // On windows system, local files ending with `.` are not allowed. // @link https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file?redirectedfrom=MSDN#naming-conventions. if ( $is_file_on_server && ! $this->get_file_extension() && 'WIN' === strtoupper( substr( Constants::get_constant( 'PHP_OS' ), 0, 3 ) ) ) { if ( '.' === substr( $file_path, -1 ) ) { return false; } } return ! $this->get_file_extension() || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true ); } /** * Validate file exists. * * @return boolean */ public function file_exists() { if ( 'relative' !== $this->get_type_of_file_path() ) { return true; } $file_url = $this->get_file(); if ( '..' === substr( $file_url, 0, 2 ) || '/' !== substr( $file_url, 0, 1 ) ) { $file_url = realpath( ABSPATH . $file_url ); } elseif ( substr( WP_CONTENT_DIR, strlen( untrailingslashit( ABSPATH ) ) ) === substr( $file_url, 0, strlen( substr( WP_CONTENT_DIR, strlen( untrailingslashit( ABSPATH ) ) ) ) ) ) { $file_url = realpath( WP_CONTENT_DIR . substr( $file_url, 11 ) ); } return apply_filters( 'woocommerce_downloadable_file_exists', file_exists( $file_url ), $this->get_file() ); } /** * Confirms that the download exists within an approved directory. * * If it is not within an approved directory but the current user has sufficient * capabilities, then the method will try to add the download's directory to the * approved directory list. * * @throws Exception If the download is not in an approved directory. * * @param bool $auto_add_to_approved_directory_list If the download is not already in the approved directory list, automatically add it if possible. */ private function approved_directory_checks( bool $auto_add_to_approved_directory_list = true ) { $download_directories = wc_get_container()->get( Download_Directories::class ); if ( $download_directories->get_mode() !== Download_Directories::MODE_ENABLED ) { return; } $download_file = $this->get_file(); /** * Controls whether shortcodes should be resolved and validated using the Approved Download Directory feature. * * @param bool $should_validate */ if ( apply_filters( 'woocommerce_product_downloads_approved_directory_validation_for_shortcodes', true ) && 'shortcode' === $this->get_type_of_file_path() ) { $download_file = do_shortcode( $download_file ); } $is_site_administrator = is_multisite() ? current_user_can( 'manage_sites' ) : current_user_can( 'manage_options' ); $valid_storage_directory = $download_directories->is_valid_path( $download_file ); if ( $valid_storage_directory ) { return; } if ( $auto_add_to_approved_directory_list ) { try { // Add the parent URL to the approved directories list, but *do not enable it* unless the current user is a site admin. $download_directories->add_approved_directory( ( new URL( $download_file ) )->get_parent_url(), $is_site_administrator ); $valid_storage_directory = $download_directories->is_valid_path( $download_file ); } catch ( Exception $e ) { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement.DetectedCatch // At this point, $valid_storage_directory will be false. Fall-through so the appropriate exception is // triggered (same as if the storage directory was invalid and $auto_add_to_approved_directory_list was false. } } if ( ! $valid_storage_directory ) { $this->raise_invalid_file_exception( $download_file ); } } /** * Convenience method, allows us to re-use the same exception messaging from different areas. * * @throws Exception * * @param string $download_file * * @return void */ private function raise_invalid_file_exception( string $download_file ): void { throw new Exception( sprintf( /* translators: %1$s is the downloadable file path, %2$s is an opening link tag, %3%s is a closing link tag. */ __( 'The downloadable file %s cannot be used as it does not exist on the server, or is not located within an approved directory. Please contact a site administrator for help. %2$sLearn more.%3$s', 'woocommerce' ), '<code>' . $download_file . '</code>', '<a href="https://woocommerce.com/document/approved-download-directories">', '</a>' ) ); } /* |-------------------------------------------------------------------------- | Setters |-------------------------------------------------------------------------- */ /** * Set ID. * * @param string $value Download ID. */ public function set_id( $value ) { $this->data['id'] = wc_clean( $value ); } /** * Set name. * * @param string $value Download name. */ public function set_name( $value ) { $this->data['name'] = wc_clean( $value ); } /** * Set previous_hash. * * @deprecated 3.3.0 No longer using filename based hashing to keep track of files. * @param string $value Previous hash. */ public function set_previous_hash( $value ) { wc_deprecated_function( __FUNCTION__, '3.3' ); $this->data['previous_hash'] = wc_clean( $value ); } /** * Set file. * * @param string $value File URL/Path. */ public function set_file( $value ) { // A `///` is recognized as an "absolute", but on the filesystem, so it bypasses the mime check in `self::is_allowed_filetype`. // This will strip extra prepending / to the maximum of 2. if ( preg_match( '#^//+(/[^/].+)$#i', $value, $matches ) ) { $value = $matches[1]; } switch ( $this->get_type_of_file_path( $value ) ) { case 'absolute': $this->data['file'] = esc_url_raw( $value ); break; default: $this->data['file'] = wc_clean( $value ); break; } } /** * Sets the status of the download to enabled (true) or disabled (false). * * @param bool $enabled True indicates the downloadable file is enabled, false indicates it is disabled. */ public function set_enabled( bool $enabled = true ) { $this->data['enabled'] = $enabled; } /* |-------------------------------------------------------------------------- | Getters |-------------------------------------------------------------------------- */ /** * Get id. * * @return string */ public function get_id() { return $this->data['id']; } /** * Get name. * * @return string */ public function get_name() { return $this->data['name']; } /** * Get previous_hash. * * @deprecated 3.3.0 No longer using filename based hashing to keep track of files. * @return string */ public function get_previous_hash() { wc_deprecated_function( __FUNCTION__, '3.3' ); return $this->data['previous_hash']; } /** * Get file. * * @return string */ public function get_file() { return $this->data['file']; } /** * Get status of the download. * * @return bool */ public function get_enabled(): bool { return $this->data['enabled']; } /* |-------------------------------------------------------------------------- | ArrayAccess/Backwards compatibility. |-------------------------------------------------------------------------- */ /** * OffsetGet. * * @param string $offset Offset. * @return mixed */ #[\ReturnTypeWillChange] public function offsetGet( $offset ) { switch ( $offset ) { default: if ( is_callable( array( $this, "get_$offset" ) ) ) { return $this->{"get_$offset"}(); } break; } return ''; } /** * OffsetSet. * * @param string $offset Offset. * @param mixed $value Offset value. */ #[\ReturnTypeWillChange] public function offsetSet( $offset, $value ) { switch ( $offset ) { default: if ( is_callable( array( $this, "set_$offset" ) ) ) { $this->{"set_$offset"}( $value ); } break; } } /** * OffsetUnset. * * @param string $offset Offset. */ #[\ReturnTypeWillChange] public function offsetUnset( $offset ) {} /** * OffsetExists. * * @param string $offset Offset. * @return bool */ #[\ReturnTypeWillChange] public function offsetExists( $offset ) { return in_array( $offset, array_keys( $this->data ), true ); } } Submit