T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/private_html/api/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/private_html/api/download_variation.php
<?php
session_start();

// Check if user is logged in
if (!isset($_SESSION['user_id'])) {
    http_response_code(401);
    echo 'Unauthorized';
    exit;
}

// SECURITY: Validate and sanitize parameters
$track_id_raw = $_GET['track_id'] ?? null;
$variation_id_raw = $_GET['variation_id'] ?? null;

if (!$track_id_raw || !$variation_id_raw) {
    http_response_code(400);
    echo 'Track ID and Variation ID required';
    exit;
}

// SECURITY: Validate that IDs are positive integers
if (!is_numeric($track_id_raw) || (int)$track_id_raw <= 0) {
    error_log("SECURITY: Invalid track_id attempt: " . htmlspecialchars($track_id_raw, ENT_QUOTES, 'UTF-8'));
    http_response_code(400);
    echo 'Invalid track ID';
    exit;
}

if (!is_numeric($variation_id_raw) || (int)$variation_id_raw <= 0) {
    error_log("SECURITY: Invalid variation_id attempt: " . htmlspecialchars($variation_id_raw, ENT_QUOTES, 'UTF-8'));
    http_response_code(400);
    echo 'Invalid variation ID';
    exit;
}

$track_id = (int)$track_id_raw;
$variation_id = (int)$variation_id_raw;

// Include security utilities
require_once '../includes/file_security.php';
require_once '../config/database.php';

try {
    $pdo = getDBConnection();
    
    // Verify user owns the track
    $stmt = $pdo->prepare("SELECT id FROM music_tracks WHERE id = ? AND user_id = ?");
    $stmt->execute([$track_id, $_SESSION['user_id']]);
    $track = $stmt->fetch(PDO::FETCH_ASSOC);
    
    if (!$track) {
        http_response_code(403);
        echo 'Track not found or access denied';
        exit;
    }
    
    // Get variation details
    $stmt = $pdo->prepare("
        SELECT audio_url, title, variation_index 
        FROM audio_variations 
        WHERE id = ? AND track_id = ?
    ");
    $stmt->execute([$variation_id, $track_id]);
    $variation = $stmt->fetch(PDO::FETCH_ASSOC);
    
    if (!$variation) {
        http_response_code(404);
        echo 'Variation not found';
        exit;
    }
    
    if (empty($variation['audio_url'])) {
        http_response_code(404);
        echo 'No audio file available for this variation';
        exit;
    }
    
    // SECURITY: Validate audio URL
    $audio_validation = validateAudioUrl($variation['audio_url']);
    
    if ($audio_validation['type'] === 'invalid') {
        error_log("SECURITY: Invalid audio URL for variation $variation_id: " . $variation['audio_url']);
        http_response_code(404);
        echo 'Audio file not available';
        exit;
    }
    
    // Get track title for filename
    $stmt = $pdo->prepare("SELECT title FROM music_tracks WHERE id = ?");
    $stmt->execute([$track_id]);
    $track_info = $stmt->fetch(PDO::FETCH_ASSOC);
    
    $track_title = $track_info['title'] ?: 'Untitled Track';
    $variation_title = $variation['title'] ?: "Variation {$variation['variation_index']}";
    
    // Create filename
    $filename = sanitizeDownloadFilename($track_title . ' - ' . $variation_title) . '.mp3';
    
    // Handle external URLs
    if ($audio_validation['type'] === 'external') {
        // Download and serve external file
        $audio_content = @file_get_contents($audio_validation['url']);
        if ($audio_content === false) {
            http_response_code(404);
            echo 'Audio file not found';
            exit;
        }
        
        header('Content-Type: audio/mpeg');
        header('Content-Disposition: attachment; filename="' . $filename . '"');
        header('Content-Length: ' . strlen($audio_content));
        header('Cache-Control: no-cache, must-revalidate');
        header('Pragma: no-cache');
        
        echo $audio_content;
        exit;
    }
    
    // Handle local files
    if ($audio_validation['type'] === 'local' && $audio_validation['path']) {
        $file_path = $audio_validation['path'];
        
        if (!file_exists($file_path)) {
            http_response_code(404);
            echo 'Audio file not found';
            exit;
        }
        
        // Set headers for download
        header('Content-Type: audio/mpeg');
        header('Content-Disposition: attachment; filename="' . $filename . '"');
        header('Content-Length: ' . filesize($file_path));
        header('Cache-Control: no-cache, must-revalidate');
        header('Pragma: no-cache');
        
        // Output the file
        readfile($file_path);
        exit;
    }
    
    // Should not reach here
    http_response_code(500);
    echo 'Internal server error';
    
} catch (Exception $e) {
    error_log("Error downloading variation: " . $e->getMessage());
    http_response_code(500);
    echo 'Internal server error';
}
?>

CasperSecurity Mini