userCanAccess( "PM_LOGIN" )) != 1) { return $RBAC_Response; } // Validate transversal path in pUID parameter $pUID = basename($_REQUEST['pUID']); // Elimina path traversal $pUID = preg_replace('/[^a-zA-Z0-9_-]/', '', $pUID); // Solo caracteres seguros if (empty($pUID)) { $filename = PATH_HOME . 'public_html/images/user.gif'; } else { $filename = PATH_IMAGES_ENVIRONMENT_USERS . $pUID . ".gif"; } // Verify if user image exists, if not, try to get it by USR_UID, if still not found, use default user image if (!file_exists($filename)) { $user = new User(); $filters = array( 'limit' => 1, 'fields' => ['USR_UID'], 'conditions' => [['USR_ID', '=', $pUID]] ); $result = $user->show($filters); if ($result['total'] == 1){ $filename = PATH_IMAGES_ENVIRONMENT_USERS . $result['data'][0]['USR_UID'] . ".gif"; if (!file_exists($filename)) { $filename = PATH_HOME . 'public_html/images/user.gif'; } } else { $filename = PATH_HOME . 'public_html/images/user.gif'; } } // Verify if file exists, if not, return 404 if (! file_exists( $filename )) { header('HTTP/1.1 404 Not Found'); exit(); } // Get file info $lastModified = filemtime($filename); $fileSize = filesize($filename); $etag = md5($fileSize . $lastModified . $filename); header('Content-Type: image/gif'); header('ETag: "' . $etag . '"'); header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $lastModified) . ' GMT'); header('Content-Length: ' . $fileSize); header('Cache-Control: public, must-revalidate, max-age=300'); // 5 min cache // Validate Client eTAg $clientEtag = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? trim($_SERVER['HTTP_IF_NONE_MATCH']) : ''; if ($clientEtag === '"' . $etag . '"') { header('HTTP/1.1 304 Not Modified'); exit; } // Show image readfile($filename); exit();