allow($rateKey, (int) $app['rate_limit']['requests'], (int) $app['rate_limit']['window_seconds'])) { Bootstrap::textResponse(Bootstrap::appMessage('upload_preview.rate_limited'), 429); } $store = new JsonStore(); $draft = $store->getDraft($email); if (!is_array($draft)) { Bootstrap::textResponse(Bootstrap::appMessage('upload_preview.draft_not_found'), 404); } $uploads = (array) ($draft['uploads'] ?? []); $files = $uploads[$field] ?? null; $entry = (is_array($files) && isset($files[$index]) && is_array($files[$index])) ? $files[$index] : null; if (!is_array($entry)) { Bootstrap::textResponse(Bootstrap::appMessage('upload_preview.upload_not_found'), 404); } $path = resolveStoredPreviewPath($entry, $app); if ($path === null || !is_file($path)) { Bootstrap::textResponse(Bootstrap::appMessage('upload_preview.file_not_found'), 404); } $mime = (string) ($entry['mime'] ?? ''); if ($mime === '') { $detected = @mime_content_type($path); $mime = is_string($detected) ? $detected : 'application/octet-stream'; } $downloadName = (string) ($entry['original_filename'] ?? basename($path)); $fallbackName = preg_replace('/[^A-Za-z0-9._-]/', '_', $downloadName) ?: 'upload.bin'; $encodedName = rawurlencode($downloadName); header('Content-Type: ' . $mime); header('X-Content-Type-Options: nosniff'); header('Content-Length: ' . (string) filesize($path)); header('Content-Disposition: inline; filename="' . $fallbackName . '"; filename*=UTF-8\'\'' . $encodedName); readfile($path); exit;