Rework file export to avoid output buffer when possible

MoonE · MoonE · commit 7c23ed9252ce · 2026-03-04T00:02:31.000+01:00
Signed-off-by: Maximilian Krög &lt;maxi_kroeg@web.de&gt;
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -2865,12 +2865,6 @@ parameters:
 			count: 3
 			path: src/Controllers/Table/GisVisualizationController.php
 
-		-
-			message: '#^Parameter \#2 \$format of method PhpMyAdmin\\Gis\\GisVisualization\:\:toFile\(\) expects string, mixed given\.$#'
-			identifier: argument.type
-			count: 1
-			path: src/Controllers/Table/GisVisualizationController.php
-
 		-
 			message: '#^Cannot access offset ''handler'' on mixed\.$#'
 			identifier: offsetAccess.nonOffsetAccessible
diff --git a/psalm-baseline.xml b/psalm-baseline.xml
@@ -2226,12 +2226,6 @@
       <code><![CDATA[$_SESSION['tmpval']['max_rows']]]></code>
       <code><![CDATA[$_SESSION['tmpval']['pos']]]></code>
     </MixedArrayAccess>
-    <PossiblyInvalidArgument>
-      <code><![CDATA[$_GET['fileFormat']]]></code>
-    </PossiblyInvalidArgument>
-    <PossiblyInvalidCast>
-      <code><![CDATA[$_GET['fileFormat']]]></code>
-    </PossiblyInvalidCast>
     <RiskyCast>
       <code><![CDATA[$_POST['pos'] ?? $_GET['pos'] ?? $_SESSION['tmpval']['pos']]]></code>
       <code><![CDATA[$_POST['session_max_rows'] ?? $_GET['session_max_rows']]]></code>
diff --git a/resources/templates/table/gis_visualization/gis_visualization.twig b/resources/templates/table/gis_visualization/gis_visualization.twig
@@ -43,9 +43,9 @@
               {{ get_icon('b_saveimage', t('Save')) }}
             </button>
             <ul class="dropdown-menu" aria-labelledby="saveImageButton">
-              <li><a class="dropdown-item disableAjax" href="{{ download_url|raw }}&fileFormat=png">PNG</a></li>
-              <li><a class="dropdown-item disableAjax" href="{{ download_url|raw }}&fileFormat=pdf">PDF</a></li>
-              <li><a class="dropdown-item disableAjax" href="{{ download_url|raw }}&fileFormat=svg">SVG</a></li>
+            {% for fileType in download_options %}
+              <li><a class="dropdown-item disableAjax" download href="{{ download_url|raw }}&amp;fileFormat={{ fileType }}">{{ fileType|upper }}</a></li>
+            {% endfor %}
             </ul>
           </div>
         </div>
diff --git a/src/Controllers/Table/GisVisualizationController.php b/src/Controllers/Table/GisVisualizationController.php
@@ -4,6 +4,7 @@
 
 namespace PhpMyAdmin\Controllers\Table;
 
+use Fig\Http\Message\StatusCodeInterface;
 use PhpMyAdmin\Config;
 use PhpMyAdmin\Controllers\InvocableController;
 use PhpMyAdmin\Core;
@@ -27,14 +28,17 @@
 use PhpMyAdmin\Template;
 use PhpMyAdmin\Url;
 use PhpMyAdmin\UrlParams;
+use TCPDF;
 
 use function __;
 use function array_search;
+use function class_exists;
+use function extension_loaded;
+use function implode;
 use function in_array;
 use function is_array;
 use function is_string;
-use function ob_get_clean;
-use function ob_start;
+use function strlen;
 
 /**
  * Handles creation of the GIS visualizations.
@@ -106,14 +110,30 @@ public function __invoke(ServerRequest $request): Response
 
         $visualization = GisVisualization::get($sqlQuery, $visualizationSettings, $rows, $pos);
 
-        if (isset($_GET['saveToFile'])) {
+        $downloadOptions = $this->getDownloadOptions();
+
+        if ($request->hasQueryParam('saveToFile')) {
+            $fileFormat = $request->getQueryParam('fileFormat');
+            if (! in_array($fileFormat, $downloadOptions, true)) {
+                return $this->responseFactory->createResponse(
+                    StatusCodeInterface::STATUS_INTERNAL_SERVER_ERROR,
+                    __('Invalid file format, expected one of: ') . implode(', ', $downloadOptions),
+                );
+            }
+
+            $data = $visualization->toFile($fileFormat);
+            if ($data === null) {
+                return $this->responseFactory->createResponse(
+                    StatusCodeInterface::STATUS_INTERNAL_SERVER_ERROR,
+                    __('Failed to create image'),
+                );
+            }
+
+            $fileName = $visualization->getSpatialColumn() . '.' . $data->extension;
             $response = $this->responseFactory->createResponse();
-            $filename = $visualization->getSpatialColumn();
-            ob_start();
-            $visualization->toFile($filename, $_GET['fileFormat']);
-            $output = ob_get_clean();
+            Core::downloadHeader($fileName, $data->mime, strlen($data->blob));
 
-            return $response->write((string) $output);
+            return $response->write($data->blob);
         }
 
         $this->response->addScriptFiles(['vendor/openlayers/openlayers.js', 'table/gis_visualization.js']);
@@ -153,13 +173,31 @@ public function __invoke(ServerRequest $request): Response
             'useBaseLayer' => $useBaseLayer,
             'visualization' => $visualization->asSVG(),
             'open_layers_data' => $visualization->asOl(),
+            'download_options' => $downloadOptions,
         ]);
 
         $this->response->addHTML($html);
 
         return $this->response->response();
     }
 
+    /** @return list<'svg'|'png'|'pdf'> */
+    private function getDownloadOptions(): array
+    {
+        $downloadOptions = [];
+        if (class_exists(TCPDF::class)) {
+            $downloadOptions[] = 'pdf';
+        }
+
+        if (extension_loaded('gd')) {
+            $downloadOptions[] = 'png';
+        }
+
+        $downloadOptions[] = 'svg';
+
+        return $downloadOptions;
+    }
+
     /**
      * Reads the sql query from POST or GET
      *
diff --git a/src/Gis/Ds/FileDownload.php b/src/Gis/Ds/FileDownload.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpMyAdmin\Gis\Ds;
+
+readonly class FileDownload
+{
+    public function __construct(
+        public string $blob,
+        public string $mime,
+        public string $extension,
+    ) {
+    }
+}
diff --git a/src/Gis/GisVisualization.php b/src/Gis/GisVisualization.php
@@ -8,12 +8,11 @@
 namespace PhpMyAdmin\Gis;
 
 use PhpMyAdmin\Config;
-use PhpMyAdmin\Core;
 use PhpMyAdmin\Dbal\DatabaseInterface;
 use PhpMyAdmin\Gis\Ds\Extent;
+use PhpMyAdmin\Gis\Ds\FileDownload;
 use PhpMyAdmin\Gis\Ds\ScaleData;
 use PhpMyAdmin\Image\ImageWrapper;
-use PhpMyAdmin\Sanitize;
 use PhpMyAdmin\Util;
 use TCPDF;
 
@@ -22,9 +21,8 @@
 use function htmlspecialchars;
 use function is_string;
 use function max;
-use function mb_strlen;
-use function mb_strtolower;
-use function mb_substr;
+use function ob_get_clean;
+use function ob_start;
 use function rtrim;
 use function trim;
 
@@ -246,43 +244,6 @@ private function fetchRawData(string $modifiedSql): array
         return $modifiedResult->fetchAllAssoc();
     }
 
-    /**
-     * Sanitizes the file name.
-     *
-     * @param string $fileName file name
-     * @param string $ext      extension of the file
-     *
-     * @return string the sanitized file name
-     */
-    private function sanitizeName(string $fileName, string $ext): string
-    {
-        $fileName = Sanitize::sanitizeFilename($fileName);
-
-        // Check if the user already added extension;
-        // get the substring where the extension would be if it was included
-        $requiredExtension = '.' . $ext;
-        $extensionLength = mb_strlen($requiredExtension);
-        $userExtension = mb_substr($fileName, -$extensionLength);
-        if (mb_strtolower($userExtension) !== $requiredExtension) {
-            $fileName .= $requiredExtension;
-        }
-
-        return $fileName;
-    }
-
-    /**
-     * Handles common tasks of writing the visualization to file for various formats.
-     *
-     * @param string $fileName file name
-     * @param string $type     mime type
-     * @param string $ext      extension of the file
-     */
-    private function writeToFile(string $fileName, string $type, string $ext): void
-    {
-        $fileName = $this->sanitizeName($fileName, $ext);
-        Core::downloadHeader($fileName, $type);
-    }
-
     /**
      * Generate the visualization in SVG format.
      *
@@ -312,16 +273,10 @@ public function asSVG(): string
         return $this->svg();
     }
 
-    /**
-     * Saves as a SVG image to a file.
-     *
-     * @param string $fileName File name
-     */
-    public function toFileAsSvg(string $fileName): void
+    /** Get SVG image as string + type infos. */
+    private function asSvgFile(): FileDownload
     {
-        $img = $this->svg();
-        $this->writeToFile($fileName, 'image/svg+xml', 'svg');
-        echo $img;
+        return new FileDownload(mime: 'image/svg+xml', extension: 'svg', blob: $this->svg());
     }
 
     /**
@@ -345,20 +300,22 @@ private function png(): ImageWrapper|null
         return $image;
     }
 
-    /**
-     * Saves as a PNG image to a file.
-     *
-     * @param string $fileName File name
-     */
-    public function toFileAsPng(string $fileName): void
+    /** Get PNG image as string (blob) + type infos. */
+    private function asPngFile(): FileDownload|null
     {
         $image = $this->png();
         if ($image === null) {
-            return;
+            return null;
         }
 
-        $this->writeToFile($fileName, 'image/png', 'png');
-        $image->png(null, 9, PNG_ALL_FILTERS);
+        ob_start();
+        $ok = $image->png(null, 9, PNG_ALL_FILTERS);
+        $output = ob_get_clean();
+        if (! $ok || $output === false) {
+            return null;
+        }
+
+        return new FileDownload(mime: 'image/png', extension: 'png', blob: $output);
     }
 
     /**
@@ -371,18 +328,15 @@ public function asOl(): array
         return $this->prepareDataSet($this->data, 'ol');
     }
 
-    /**
-     * Saves as a PDF to a file.
-     *
-     * @param string $fileName File name
-     */
-    public function toFileAsPdf(string $fileName): void
+    /** Get image PDF as string (blob) + type infos. */
+    private function asPdfFile(): FileDownload
     {
-        $fileName = $this->sanitizeName($fileName, 'pdf');
         $pdf = $this->createEmptyPdf(Config::getInstance()->config->PDFDefaultPageSize ?? 'A4');
         $this->prepareDataSet($this->data, 'pdf', $pdf);
 
-        $pdf->Output($fileName, 'D');
+        $blob = $pdf->Output('', 'S');
+
+        return new FileDownload(mime: 'application/pdf', extension: 'pdf', blob: $blob);
     }
 
     private function createEmptyPdf(string $format): TCPDF
@@ -406,18 +360,15 @@ private function createEmptyPdf(string $format): TCPDF
     /**
      * Convert file to given format
      *
-     * @param string $filename Filename
-     * @param string $format   Output format
+     * @param 'svg'|'png'|'pdf' $format Output format
      */
-    public function toFile(string $filename, string $format): void
+    public function toFile(string $format): FileDownload|null
     {
-        if ($format === 'svg') {
-            $this->toFileAsSvg($filename);
-        } elseif ($format === 'png') {
-            $this->toFileAsPng($filename);
-        } elseif ($format === 'pdf') {
-            $this->toFileAsPdf($filename);
-        }
+        return match ($format) {
+            'svg' => $this->asSvgFile(),
+            'png' => $this->asPngFile(),
+            'pdf' => $this->asPdfFile(),
+        };
     }
 
     /**
diff --git a/tests/unit/Controllers/Table/GisVisualizationControllerTest.php b/tests/unit/Controllers/Table/GisVisualizationControllerTest.php
@@ -20,6 +20,7 @@
 use PhpMyAdmin\Url;
 use PhpMyAdmin\UrlParams;
 use PHPUnit\Framework\Attributes\CoversClass;
+use ReflectionMethod;
 
 use const MYSQLI_TYPE_GEOMETRY;
 use const MYSQLI_TYPE_VAR_STRING;
@@ -79,6 +80,19 @@ public function testGisVisualizationController(): void
 
         $config = new Config();
         $template = new Template($config);
+        $responseRenderer = new ResponseRenderer();
+        $controller = new GisVisualizationController(
+            $responseRenderer,
+            $template,
+            $dbi,
+            new DbTableExists($dbi),
+            ResponseFactory::create(),
+            $config,
+        );
+
+        /** @var list<string> $downloadOptions */
+        $downloadOptions = (new ReflectionMethod(GisVisualizationController::class, 'getDownloadOptions'))
+            ->invoke($controller);
         $expected = $template->render('table/gis_visualization/gis_visualization', [
             'url_params' => $params,
             'download_url' => $downloadUrl,
@@ -110,20 +124,12 @@ public function testGisVisualizationController(): void
                     ],
                 ],
             ],
+            'download_options' => $downloadOptions,
         ]);
 
         $request = ServerRequestFactory::create()->createServerRequest('POST', 'http://example.com/')
             ->withQueryParams(['db' => 'test_db', 'table' => 'test_table']);
 
-        $responseRenderer = new ResponseRenderer();
-        $controller = new GisVisualizationController(
-            $responseRenderer,
-            $template,
-            $dbi,
-            new DbTableExists($dbi),
-            ResponseFactory::create(),
-            $config,
-        );
         $response = $controller($request);
 
         self::assertSame(StatusCodeInterface::STATUS_OK, $response->getStatusCode());
