From 7cb38db1aa3ca52783883af322774c1cfb3a0934 Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Sat, 18 May 2024 12:56:13 +0200 Subject: [PATCH] Move the ETag handling and switch to weak comparisons --- .../lib/action/FileDownloadAction.class.php | 31 ++++++++++++------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/wcfsetup/install/files/lib/action/FileDownloadAction.class.php b/wcfsetup/install/files/lib/action/FileDownloadAction.class.php index 6841639780..38576edfe4 100644 --- a/wcfsetup/install/files/lib/action/FileDownloadAction.class.php +++ b/wcfsetup/install/files/lib/action/FileDownloadAction.class.php @@ -2,6 +2,7 @@ namespace wcf\action; +use GuzzleHttp\Psr7\Header; use Laminas\Diactoros\Response; use Laminas\Diactoros\Response\EmptyResponse; use Laminas\Diactoros\Stream; @@ -50,17 +51,6 @@ final class FileDownloadAction implements RequestHandlerInterface throw new PermissionDeniedException(); } - $eTag = \sprintf( - '"%d-%s"', - $file->fileID, - \substr($file->fileHash, 0, 8), - ); - - $httpIfNoneMatch = $_SERVER['HTTP_IF_NONE_MATCH'] ?? ''; - if ($httpIfNoneMatch === $eTag) { - return new EmptyResponse(304); - } - $processor->trackDownload($file); $filename = $file->getPathname(); @@ -107,6 +97,25 @@ final class FileDownloadAction implements RequestHandlerInterface ->withHeader('Cache-control', $maxAge); } + $eTag = \sprintf( + '"W/%d-%s"', + $file->fileID, + \substr($file->fileHash, 0, 8), + ); + $nonWeakETag = \sprintf( + '"%d-%s"', + $file->fileID, + \substr($file->fileHash, 0, 8), + ); + + $httpIfNoneMatch = \array_map( + static fn ($tag) => \preg_replace('^"W/', '"', $tag), + Header::splitList($request->getHeaderLine('HTTP_IF_NONE_MATCH')) + ); + if (\in_array($nonWeakETag, $httpIfNoneMatch, true)) { + return new EmptyResponse(304); + } + return $response ->withHeader('content-type', $mimeType) ->withHeader( -- 2.20.1