public/download.php

<?php
require_once("../include/bittorrent.php");
dbconn();

if (!empty($_REQUEST['downhash'])){
    $params = explode('|', $_REQUEST['downhash']);
    if (empty($params[0]) || empty($params[1])) {
        die("invalid downhash, format error");
    }
    $uid = $params[0];
    $hash = $params[1];
    $res = sql_query("SELECT * FROM users WHERE id=". sqlesc($uid)." LIMIT 1");
    $user = mysql_fetch_array($res);
    if (!$user)
        die("invalid uid");
    elseif ($user['enabled'] == 'no' || $user['parked'] == 'yes')
        die("account disabed or parked");
    $oldip = $user['ip'];
    $user['ip'] = getip();
    $CURUSER = $user;
    $torrentRep = new \App\Repositories\TorrentRepository();
    $decrypted = $torrentRep->decryptDownHash($hash, $user);
    if (empty($decrypted)) {
        do_log("downhash invalid: " . nexus_json_encode($_REQUEST));
        die("invalid downhash, decrpyt fail");
    }
    $id = $decrypted[0];
}
else
{
    $id = (int)$_GET["id"];
    if (!$id)
        httperr();
	loggedinorreturn();
	parked();
	$letdown = intval($_GET['letdown'] ?? 0);
	if (!$letdown && $CURUSER['showdlnotice'] == 1)
	{
		header("Location: " . get_protocol_prefix() . "$BASEURL/downloadnotice.php?torrentid=".$id."&type=firsttime");
	}
	elseif (!$letdown && $CURUSER['showclienterror'] == 'yes')
	{
		header("Location: " . get_protocol_prefix() . "$BASEURL/downloadnotice.php?torrentid=".$id."&type=client");
	}
	elseif (!$letdown && $CURUSER['leechwarn'] == 'yes')
	{
		header("Location: " . get_protocol_prefix() . "$BASEURL/downloadnotice.php?torrentid=".$id."&type=ratio");
	}
}
//User may choose to download torrent from RSS. So log ip changes when downloading torrents.
if ($iplog1 == "yes") {
	if (($oldip != $CURUSER["ip"]) && $CURUSER["ip"])
	sql_query("INSERT INTO iplog (ip, userid, access) VALUES (" . sqlesc($CURUSER['ip']) . ", " . $CURUSER['id'] . ", '" . $CURUSER['last_access'] . "')");
}
//User may choose to download torrent from RSS. So update his last_access and ip when downloading torrents.
sql_query("UPDATE users SET last_access = ".sqlesc(date("Y-m-d H:i:s")).", ip = ".sqlesc($CURUSER['ip'])."  WHERE id = ".sqlesc($CURUSER['id']));

/*
@ini_set('zlib.output_compression', 'Off');
@set_time_limit(0);

if (@ini_get('output_handler') == 'ob_gzhandler' AND @ob_get_length() !== false)
{	// if output_handler = ob_gzhandler, turn it off and remove the header sent by PHP
	@ob_end_clean();
	header('Content-Encoding:');
}
*/
if (isset($_COOKIE["c_secure_tracker_ssl"]) && $_COOKIE["c_secure_tracker_ssl"] == base64("yeah"))
$tracker_ssl = true;
else
$tracker_ssl = false;
if ($tracker_ssl == true){
	$ssl_torrent = "https://";
	if ($https_announce_urls[0] != "")
		$base_announce_url = $https_announce_urls[0];
	else
		$base_announce_url = $announce_urls[0];
}
else{
	$ssl_torrent = "http://";
	$base_announce_url = $announce_urls[0];
}


$res = sql_query("SELECT torrents.name, torrents.filename, torrents.save_as, torrents.size, torrents.owner, torrents.banned, categories.mode as search_box_id FROM torrents left join categories on torrents.category = categories.id WHERE torrents.id = ".sqlesc($id)) or sqlerr(__FILE__, __LINE__);
$row = mysql_fetch_assoc($res);
$fn = ROOT_PATH . "$torrent_dir/$id.torrent";
if ($CURUSER['downloadpos']=="no") {
    permissiondenied();
}
if (!$row || !is_file($fn) || !is_readable($fn)) {
    httperr();
}
if (($row['banned'] == 'yes' && get_user_class() < $seebanned_class) || !can_access_torrent($row)) {
    permissiondenied();
}

sql_query("UPDATE torrents SET hits = hits + 1 WHERE id = ".sqlesc($id)) or sqlerr(__FILE__, __LINE__);

require_once "include/benc.php";

if (strlen($CURUSER['passkey']) != 32) {
	$CURUSER['passkey'] = md5($CURUSER['username'].date("Y-m-d H:i:s").$CURUSER['passhash']);
	sql_query("UPDATE users SET passkey=".sqlesc($CURUSER['passkey'])." WHERE id=".sqlesc($CURUSER['id']));
}

$dict = bdec_file($fn, $max_torrent_size);
//$dict['value']['announce']['value'] = $ssl_torrent . $base_announce_url . "?passkey=$CURUSER[passkey]";
$dict['value']['announce']['value'] = getSchemeAndHttpHost() . "/announce.php?passkey=$CURUSER[passkey]";
$dict['value']['announce']['string'] = strlen($dict['value']['announce']['value']).":".$dict['value']['announce']['value'];
$dict['value']['announce']['strlen'] = strlen($dict['value']['announce']['string']);
/*if ($announce_urls[1] != "") // add multi-tracker
{
	$dict['value']['announce-list']['type'] = "list";
	$dict['value']['announce-list']['value'][0]['type'] = "list";
	$dict['value']['announce-list']['value'][0]['value'][0]["type"] = "string";
	$dict['value']['announce-list']['value'][0]['value'][0]["value"] = $ssl_torrent . $announce_urls[0] . "?passkey=$CURUSER[passkey]";
	$dict['value']['announce-list']['value'][0]['value'][0]["string"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["value"]).":".$dict['value']['announce-list']['value'][0]['value'][0]["value"];
	$dict['value']['announce-list']['value'][0]['value'][0]["strlen"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["string"]);
	$dict['value']['announce-list']['value'][0]['string'] = "l".$dict['value']['announce-list']['value'][0]['value'][0]["string"]."e";
	$dict['value']['announce-list']['value'][0]['strlen'] = strlen($dict['value']['announce-list']['value'][0]['string']);
	$dict['value']['announce-list']['value'][1]['type'] = "list";
	$dict['value']['announce-list']['value'][1]['value'][0]["type"] = "string";
	$dict['value']['announce-list']['value'][1]['value'][0]["value"] = $ssl_torrent . $announce_urls[1] . "?passkey=$CURUSER[passkey]";
	$dict['value']['announce-list']['value'][1]['value'][0]["string"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["value"]).":".$dict['value']['announce-list']['value'][0]['value'][0]["value"];
	$dict['value']['announce-list']['value'][1]['value'][0]["strlen"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["string"]);
	$dict['value']['announce-list']['value'][1]['string'] = "l".$dict['value']['announce-list']['value'][0]['value'][0]["string"]."e";
	$dict['value']['announce-list']['value'][1]['strlen'] = strlen($dict['value']['announce-list']['value'][0]['string']);
	$dict['value']['announce-list']['string'] = "l".$dict['value']['announce-list']['value'][0]['string'].$dict['value']['announce-list']['value'][1]['string']."e";
	$dict['value']['announce-list']['strlen'] = strlen($dict['value']['announce-list']['string']);
}*/
/*
header ("Expires: Tue, 1 Jan 1980 00:00:00 GMT");
header ("Last-Modified: ".date("D, d M Y H:i:s"));
header ("Cache-Control: no-store, no-cache, must-revalidate");
header ("Cache-Control: post-check=0, pre-check=0", false);
header ("Pragma: no-cache");
header ("X-Powered-By: ".VERSION." (c) ".date("Y")." ".$SITENAME."");
header ("Accept-Ranges: bytes");
header ("Connection: close");
header ("Content-Transfer-Encoding: binary");
*/

header("Content-Type: application/x-bittorrent");

if ( str_replace("Gecko", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'])
{
	header ("Content-Disposition: attachment; filename=\"$torrentnameprefix.".$row["save_as"].".torrent\" ; charset=utf-8");
}
else if ( str_replace("Firefox", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'] )
{
	header ("Content-Disposition: attachment; filename=\"$torrentnameprefix.".$row["save_as"].".torrent\" ; charset=utf-8");
}
else if ( str_replace("Opera", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'] )
{
	header ("Content-Disposition: attachment; filename=\"$torrentnameprefix.".$row["save_as"].".torrent\" ; charset=utf-8");
}
else if ( str_replace("IE", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'] )
{
	header ("Content-Disposition: attachment; filename=".str_replace("+", "%20", rawurlencode("$torrentnameprefix." . $row["save_as"] .".torrent")));
}
else
{
	header ("Content-Disposition: attachment; filename=".str_replace("+", "%20", rawurlencode("$torrentnameprefix." . $row["save_as"] .".torrent")));
}

//header ("Content-Disposition: attachment; filename=".$row["filename"]."");
//ob_implicit_flush(true);
print(benc($dict));
?>
init 2020-12-26 01:42:23 +08:00			`<?php`
add composer 2021-01-13 19:32:26 +08:00			`require_once("../include/bittorrent.php");`
init 2020-12-26 01:42:23 +08:00			`dbconn();`
downhash 2021-06-02 08:44:22 +08:00
			`if (!empty($_REQUEST['downhash'])){`
torrent downhash encrypt by hashids 2021-06-02 19:01:28 +08:00			`$params = explode('\|', $_REQUEST['downhash']);`
			`if (empty($params[0]) \|\| empty($params[1])) {`
			`die("invalid downhash, format error");`
downhash 2021-06-02 08:44:22 +08:00			`}`
torrent downhash encrypt by hashids 2021-06-02 19:01:28 +08:00			`$uid = $params[0];`
			`$hash = $params[1];`
			`$res = sql_query("SELECT * FROM users WHERE id=". sqlesc($uid)." LIMIT 1");`
			`$user = mysql_fetch_array($res);`
			`if (!$user)`
			`die("invalid uid");`
			`elseif ($user['enabled'] == 'no' \|\| $user['parked'] == 'yes')`
			`die("account disabed or parked");`
			`$oldip = $user['ip'];`
			`$user['ip'] = getip();`
			`$CURUSER = $user;`
			`$torrentRep = new \App\Repositories\TorrentRepository();`
			`$decrypted = $torrentRep->decryptDownHash($hash, $user);`
			`if (empty($decrypted)) {`
			`do_log("downhash invalid: " . nexus_json_encode($_REQUEST));`
			`die("invalid downhash, decrpyt fail");`
downhash 2021-06-02 08:44:22 +08:00			`}`
torrent downhash encrypt by hashids 2021-06-02 19:01:28 +08:00			`$id = $decrypted[0];`
init 2020-12-26 01:42:23 +08:00			`}`
			`else`
			`{`
downhash 2021-06-02 08:44:22 +08:00			`$id = (int)$_GET["id"];`
			`if (!$id)`
			`httperr();`
init 2020-12-26 01:42:23 +08:00			`loggedinorreturn();`
			`parked();`
recover some $_GET & $POST variable keep be integer 2021-01-06 00:56:13 +08:00			`$letdown = intval($_GET['letdown'] ?? 0);`
init 2020-12-26 01:42:23 +08:00			`if (!$letdown && $CURUSER['showdlnotice'] == 1)`
			`{`
			`header("Location: " . get_protocol_prefix() . "$BASEURL/downloadnotice.php?torrentid=".$id."&type=firsttime");`
			`}`
			`elseif (!$letdown && $CURUSER['showclienterror'] == 'yes')`
			`{`
			`header("Location: " . get_protocol_prefix() . "$BASEURL/downloadnotice.php?torrentid=".$id."&type=client");`
			`}`
			`elseif (!$letdown && $CURUSER['leechwarn'] == 'yes')`
			`{`
			`header("Location: " . get_protocol_prefix() . "$BASEURL/downloadnotice.php?torrentid=".$id."&type=ratio");`
			`}`
			`}`
			`//User may choose to download torrent from RSS. So log ip changes when downloading torrents.`
			`if ($iplog1 == "yes") {`
			`if (($oldip != $CURUSER["ip"]) && $CURUSER["ip"])`
			`sql_query("INSERT INTO iplog (ip, userid, access) VALUES (" . sqlesc($CURUSER['ip']) . ", " . $CURUSER['id'] . ", '" . $CURUSER['last_access'] . "')");`
			`}`
			`//User may choose to download torrent from RSS. So update his last_access and ip when downloading torrents.`
			`sql_query("UPDATE users SET last_access = ".sqlesc(date("Y-m-d H:i:s")).", ip = ".sqlesc($CURUSER['ip'])." WHERE id = ".sqlesc($CURUSER['id']));`

			`/*`
			`@ini_set('zlib.output_compression', 'Off');`
			`@set_time_limit(0);`

			`if (@ini_get('output_handler') == 'ob_gzhandler' AND @ob_get_length() !== false)`
			`{ // if output_handler = ob_gzhandler, turn it off and remove the header sent by PHP`
			`@ob_end_clean();`
			`header('Content-Encoding:');`
			`}`
			`*/`
fix warning: Undefined array key 2021-05-14 01:00:59 +08:00			`if (isset($_COOKIE["c_secure_tracker_ssl"]) && $_COOKIE["c_secure_tracker_ssl"] == base64("yeah"))`
init 2020-12-26 01:42:23 +08:00			`$tracker_ssl = true;`
			`else`
			`$tracker_ssl = false;`
			`if ($tracker_ssl == true){`
			`$ssl_torrent = "https://";`
			`if ($https_announce_urls[0] != "")`
			`$base_announce_url = $https_announce_urls[0];`
			`else`
			`$base_announce_url = $announce_urls[0];`
			`}`
			`else{`
			`$ssl_torrent = "http://";`
			`$base_announce_url = $announce_urls[0];`
			`}`



add special section 2021-05-29 18:26:04 +08:00			`$res = sql_query("SELECT torrents.name, torrents.filename, torrents.save_as, torrents.size, torrents.owner, torrents.banned, categories.mode as search_box_id FROM torrents left join categories on torrents.category = categories.id WHERE torrents.id = ".sqlesc($id)) or sqlerr(__FILE__, __LINE__);`
init 2020-12-26 01:42:23 +08:00			`$row = mysql_fetch_assoc($res);`
fix announce for directory change 2021-01-19 21:50:21 +08:00			`$fn = ROOT_PATH . "$torrent_dir/$id.torrent";`
add special section 2021-05-29 18:26:04 +08:00			`if ($CURUSER['downloadpos']=="no") {`
			`permissiondenied();`
			`}`
			`if (!$row \|\| !is_file($fn) \|\| !is_readable($fn)) {`
			`httperr();`
			`}`
			`if (($row['banned'] == 'yes' && get_user_class() < $seebanned_class) \|\| !can_access_torrent($row)) {`
			`permissiondenied();`
			`}`

init 2020-12-26 01:42:23 +08:00			`sql_query("UPDATE torrents SET hits = hits + 1 WHERE id = ".sqlesc($id)) or sqlerr(__FILE__, __LINE__);`

			`require_once "include/benc.php";`

			`if (strlen($CURUSER['passkey']) != 32) {`
			`$CURUSER['passkey'] = md5($CURUSER['username'].date("Y-m-d H:i:s").$CURUSER['passhash']);`
recover some $_GET & $POST variable keep be integer 2021-01-06 00:56:13 +08:00			`sql_query("UPDATE users SET passkey=".sqlesc($CURUSER['passkey'])." WHERE id=".sqlesc($CURUSER['id']));`
init 2020-12-26 01:42:23 +08:00			`}`

			`$dict = bdec_file($fn, $max_torrent_size);`
fix tracker url and takeinvite.php 2021-02-28 02:47:13 +08:00			`//$dict['value']['announce']['value'] = $ssl_torrent . $base_announce_url . "?passkey=$CURUSER[passkey]";`
			`$dict['value']['announce']['value'] = getSchemeAndHttpHost() . "/announce.php?passkey=$CURUSER[passkey]";`
init 2020-12-26 01:42:23 +08:00			`$dict['value']['announce']['string'] = strlen($dict['value']['announce']['value']).":".$dict['value']['announce']['value'];`
			`$dict['value']['announce']['strlen'] = strlen($dict['value']['announce']['string']);`
			`/*if ($announce_urls[1] != "") // add multi-tracker`
			`{`
			`$dict['value']['announce-list']['type'] = "list";`
			`$dict['value']['announce-list']['value'][0]['type'] = "list";`
			`$dict['value']['announce-list']['value'][0]['value'][0]["type"] = "string";`
			`$dict['value']['announce-list']['value'][0]['value'][0]["value"] = $ssl_torrent . $announce_urls[0] . "?passkey=$CURUSER[passkey]";`
			`$dict['value']['announce-list']['value'][0]['value'][0]["string"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["value"]).":".$dict['value']['announce-list']['value'][0]['value'][0]["value"];`
			`$dict['value']['announce-list']['value'][0]['value'][0]["strlen"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["string"]);`
			`$dict['value']['announce-list']['value'][0]['string'] = "l".$dict['value']['announce-list']['value'][0]['value'][0]["string"]."e";`
			`$dict['value']['announce-list']['value'][0]['strlen'] = strlen($dict['value']['announce-list']['value'][0]['string']);`
			`$dict['value']['announce-list']['value'][1]['type'] = "list";`
			`$dict['value']['announce-list']['value'][1]['value'][0]["type"] = "string";`
			`$dict['value']['announce-list']['value'][1]['value'][0]["value"] = $ssl_torrent . $announce_urls[1] . "?passkey=$CURUSER[passkey]";`
			`$dict['value']['announce-list']['value'][1]['value'][0]["string"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["value"]).":".$dict['value']['announce-list']['value'][0]['value'][0]["value"];`
			`$dict['value']['announce-list']['value'][1]['value'][0]["strlen"] = strlen($dict['value']['announce-list']['value'][0]['value'][0]["string"]);`
			`$dict['value']['announce-list']['value'][1]['string'] = "l".$dict['value']['announce-list']['value'][0]['value'][0]["string"]."e";`
			`$dict['value']['announce-list']['value'][1]['strlen'] = strlen($dict['value']['announce-list']['value'][0]['string']);`
			`$dict['value']['announce-list']['string'] = "l".$dict['value']['announce-list']['value'][0]['string'].$dict['value']['announce-list']['value'][1]['string']."e";`
			`$dict['value']['announce-list']['strlen'] = strlen($dict['value']['announce-list']['string']);`
			`}*/`
			`/*`
			`header ("Expires: Tue, 1 Jan 1980 00:00:00 GMT");`
			`header ("Last-Modified: ".date("D, d M Y H:i:s"));`
			`header ("Cache-Control: no-store, no-cache, must-revalidate");`
			`header ("Cache-Control: post-check=0, pre-check=0", false);`
			`header ("Pragma: no-cache");`
			`header ("X-Powered-By: ".VERSION." (c) ".date("Y")." ".$SITENAME."");`
			`header ("Accept-Ranges: bytes");`
			`header ("Connection: close");`
			`header ("Content-Transfer-Encoding: binary");`
			`*/`

			`header("Content-Type: application/x-bittorrent");`

			`if ( str_replace("Gecko", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'])`
			`{`
			`header ("Content-Disposition: attachment; filename=\"$torrentnameprefix.".$row["save_as"].".torrent\" ; charset=utf-8");`
			`}`
			`else if ( str_replace("Firefox", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'] )`
			`{`
			`header ("Content-Disposition: attachment; filename=\"$torrentnameprefix.".$row["save_as"].".torrent\" ; charset=utf-8");`
			`}`
			`else if ( str_replace("Opera", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'] )`
			`{`
			`header ("Content-Disposition: attachment; filename=\"$torrentnameprefix.".$row["save_as"].".torrent\" ; charset=utf-8");`
			`}`
			`else if ( str_replace("IE", "", $_SERVER['HTTP_USER_AGENT']) != $_SERVER['HTTP_USER_AGENT'] )`
			`{`
			`header ("Content-Disposition: attachment; filename=".str_replace("+", "%20", rawurlencode("$torrentnameprefix." . $row["save_as"] .".torrent")));`
			`}`
			`else`
			`{`
			`header ("Content-Disposition: attachment; filename=".str_replace("+", "%20", rawurlencode("$torrentnameprefix." . $row["save_as"] .".torrent")));`
			`}`

			`//header ("Content-Disposition: attachment; filename=".$row["filename"]."");`
			`//ob_implicit_flush(true);`
			`print(benc($dict));`
			`?>`