From a2a21621acc862462cb3ae9695ee7ccad4e2501f Mon Sep 17 00:00:00 2001
From: BingoKingo <h6h4m123@yeah.net>
Date: Sat, 4 Apr 2020 09:03:28 +0800
Subject: [PATCH] Update common.php

---
 function/common.php | 680 +++++++++++++++++++++++++++++++-------------
 1 file changed, 475 insertions(+), 205 deletions(-)

diff --git a/function/common.php b/function/common.php
index 18fdf8a..bc75ba6 100644
--- a/function/common.php
+++ b/function/common.php
@@ -25,6 +25,9 @@ $Base64Env = [
     'guestup_path',
     //'usesharepoint',
     'sharepointname',
+    'shareurl',
+    'sharecookie',
+    'shareapiurl',
     //'siteid',
     'public_path',
     //'refresh_token',
@@ -42,7 +45,7 @@ $CommonEnv = [
     'disktag',
     'function_name', // used in heroku.
     'hideFunctionalityFile',
-    'language',
+    //'language',
     'passfile',
     'sitename',
     'theme',
@@ -59,7 +62,7 @@ $ShowedCommonEnv = [
     //'disktag',
     //'function_name', // used in heroku.
     'hideFunctionalityFile',
-    'language',
+    //'language',
     'passfile',
     'sitename',
     'theme',
@@ -77,6 +80,9 @@ $InnerEnv = [
     'usesharepoint',
     'sharepointname',
     'siteid',
+    'shareurl',
+    'sharecookie',
+    'shareapiurl',
     'public_path',
     'refresh_token',
     'token_expires',
@@ -94,11 +100,234 @@ $ShowedInnerEnv = [
     //'usesharepoint',
     //'sharepointname',
     //'siteid',
+    'shareurl',
+    'sharecookie',
+    'shareapiurl',
     'public_path',
     //'refresh_token',
     //'token_expires',
 ];
 
+function main($path)
+{
+    global $exts;
+    global $constStr;
+
+    if (in_array($_SERVER['firstacceptlanguage'], array_keys($constStr['languages']))) $constStr['language'] = $_SERVER['firstacceptlanguage'];
+    if (isset($_COOKIE['language'])&&$_COOKIE['language']!='') $constStr['language'] = $_COOKIE['language'];
+    //if (!$constStr['language']) $constStr['language'] = getConfig('language');
+    /*echo 'firstacceptlanguage:'.$_SERVER['firstacceptlanguage'].'
+    '.'lan:'.$constStr['language'];*/
+    if ($constStr['language']=='') $constStr['language'] = 'en-us';
+    $_SERVER['language'] = $constStr['language'];
+    $_SERVER['PHP_SELF'] = path_format($_SERVER['base_path'] . $path);
+
+    if (getConfig('admin')=='') return install();
+    if (getConfig('adminloginpage')=='') {
+        $adminloginpage = 'admin';
+    } else {
+        $adminloginpage = getConfig('adminloginpage');
+    }
+    if (isset($_GET[$adminloginpage])) {
+        if (isset($_GET['preview'])) {
+            $url = $_SERVER['PHP_SELF'] . '?preview';
+        } else {
+            $url = path_format($_SERVER['PHP_SELF'] . '/');
+        }
+        if (getConfig('admin')!='') {
+            if ($_POST['password1']==getConfig('admin')) {
+                return adminform('admin',md5($_POST['password1']),$url);
+            } else return adminform();
+        } else {
+            return output('', 302, [ 'Location' => $url ]);
+        }
+    }
+    if (getConfig('admin')!='')
+        if ( (isset($_COOKIE['admin'])&&$_COOKIE['admin']==md5(getConfig('admin'))) || (isset($_POST['password1'])&&$_POST['password1']==getConfig('admin')) ) {
+            $_SERVER['admin']=1;
+            $_SERVER['needUpdate'] = needUpdate();
+        } else {
+            $_SERVER['admin']=0;
+        }
+    if (isset($_GET['setup']))
+        if ($_SERVER['admin']) {
+            // setup Environments. 设置，对环境变量操作
+            return EnvOpt($_SERVER['needUpdate']);
+        } else {
+            $url = path_format($_SERVER['PHP_SELF'] . '/');
+            return output('<script>alert(\''.getconstStr('SetSecretsFirst').'\');</script>', 302, [ 'Location' => $url ]);
+        }
+
+    $_SERVER['base_disk_path'] = $_SERVER['base_path'];
+    $disktags = explode("|",getConfig('disktag'));
+//    echo 'count$disk:'.count($disktags);
+    if (count($disktags)>1) {
+        if ($path=='/'||$path=='') return output('', 302, [ 'Location' => path_format($_SERVER['base_path'].'/'.$disktags[0].'/') ]);
+        $_SERVER['disktag'] = $path;
+        $pos = strpos($path, '/');
+        if ($pos>1) $_SERVER['disktag'] = substr($path, 0, $pos);
+        if (!in_array($_SERVER['disktag'], $disktags)) return message('<meta http-equiv="refresh" content="2;URL='.$_SERVER['base_path'].'">Please visit from <a href="'.$_SERVER['base_path'].'">Home Page</a>.', 'Error', 404);
+        $path = substr($path, strlen('/'.$_SERVER['disktag']));
+        if ($_SERVER['disktag']!='') $_SERVER['base_disk_path'] = path_format($_SERVER['base_disk_path']. '/' . $_SERVER['disktag'] . '/');
+    } else $_SERVER['disktag'] = $disktags[0];
+//    echo 'main.disktag:'.$_SERVER['disktag'].'，path:'.$path.'
+//';
+    $_SERVER['list_path'] = getListpath($_SERVER['HTTP_HOST']);
+    if ($_SERVER['list_path']=='') $_SERVER['list_path'] = '/';
+    $_SERVER['is_guestup_path'] = is_guestup_path($path);
+    $_SERVER['ajax']=0;
+    if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) if ($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest') $_SERVER['ajax']=1;
+
+    config_oauth();
+    if ($_SERVER['admin']) if (isset($_GET['AddDisk'])||isset($_GET['authorization_code'])) return get_refresh_token();
+    $refresh_token = getConfig('refresh_token');
+    //if (!$refresh_token) return get_refresh_token();
+    if (!$refresh_token) {
+        return render_list();
+    } else {
+        if (!($_SERVER['access_token'] = getcache('access_token'))) {
+            get_access_token($refresh_token);
+        }
+
+        if ($_SERVER['ajax']) {
+            if ($_GET['action']=='del_upload_cache'&&substr($_GET['filename'],-4)=='.tmp') {
+                // del '.tmp' without login. 无需登录即可删除.tmp后缀文件
+                error_log('del.tmp:GET,'.json_encode($_GET,JSON_PRETTY_PRINT));
+                $tmp = MSAPI('DELETE',path_format(path_format($_SERVER['list_path'] . path_format($path)) . '/' . spurlencode($_GET['filename']) ),'',$_SERVER['access_token']);
+                $path1 = path_format($_SERVER['list_path'] . path_format($path));
+                if ($path1!='/'&&substr($path1,-1)=='/') $path1=substr($path1,0,-1);
+                savecache('path_' . $path1, json_decode('{}',true), 1);
+                return output($tmp['body'],$tmp['stat']);
+            }
+            if ($_GET['action']=='uploaded_rename') {
+                // rename .scfupload file without login.
+                // 无需登录即可重命名.scfupload后缀文件，filemd5为用户提交，可被构造，问题不大，以后处理
+                $oldname = spurlencode($_GET['filename']);
+                $pos = strrpos($oldname, '.');
+                if ($pos>0) $ext = strtolower(substr($oldname, $pos));
+                $oldname = path_format(path_format($_SERVER['list_path'] . path_format($path)) . '/' . $oldname . '.scfupload' );
+                $data = '{"name":"' . $_GET['filemd5'] . $ext . '"}';
+                //echo $oldname .'<br>'. $data;
+                $tmp = MSAPI('PATCH',$oldname,$data,$_SERVER['access_token']);
+                if ($tmp['stat']==409) {
+                    MSAPI('DELETE',$oldname,'',$_SERVER['access_token']);
+                    $tmpbody = json_decode($tmp['body'], true);
+                    $tmpbody['name'] = $_GET['filemd5'] . $ext;
+                    $tmp['body'] = json_encode($tmpbody);
+                }
+                $path1 = path_format($_SERVER['list_path'] . path_format($path));
+                if ($path1!='/'&&substr($path1,-1)=='/') $path1=substr($path1,0,-1);
+                savecache('path_' . $path1, json_decode('{}',true), 1);
+                return output($tmp['body'],$tmp['stat']);
+            }
+            if ($_GET['action']=='upbigfile') return bigfileupload($path);
+        }
+        if ($_SERVER['admin']) {
+            $tmp = adminoperate($path);
+            if ($tmp['statusCode'] > 0) {
+                $path1 = path_format($_SERVER['list_path'] . path_format($path));
+                if ($path1!='/'&&substr($path1,-1)=='/') $path1=substr($path1,0,-1);
+                savecache('path_' . $path1, json_decode('{}',true), 1);
+                return $tmp;
+            }
+        } else {
+            if ($_SERVER['ajax']) return output(getconstStr('RefreshtoLogin'),401);
+        }
+        $_SERVER['ishidden'] = passhidden($path);
+        if (isset($_GET['thumbnails'])) {
+            if ($_SERVER['ishidden']<4) {
+                if (in_array(strtolower(substr($path, strrpos($path, '.') + 1)), $exts['img'])) {
+                    return get_thumbnails_url($path);
+                } else return output(json_encode($exts['img']),400);
+            } else return output('',401);
+        }
+
+        $files = list_files($path);
+        //echo json_encode(array_keys($files['children']), JSON_PRETTY_PRINT);
+        if (isset($_GET['random'])&&$_GET['random']!=='') {
+            if ($_SERVER['ishidden']<4) {
+                $tmp = [];
+                foreach (array_keys($files['children']) as $filename) {
+                    if (strtolower(splitlast($filename,'.')[1])==strtolower($_GET['random'])) $tmp[$filename] = $files['children'][$filename][$_SERVER['DownurlStrName']];
+                }
+                $tmp = array_values($tmp);
+                if (count($tmp)>0) {
+            if (isset($_GET['url'])) return output($tmp[rand(0,count($tmp)-1)], 200);
+            return output('', 302, [ 'Location' => $tmp[rand(0,count($tmp)-1)] ]);
+                } else return output('',404);
+            } else return output('',401);
+        }
+        if (isset($files['file']) && !isset($_GET['preview'])) {
+            // is file && not preview mode
+            if ( $_SERVER['ishidden']<4 || (!!getConfig('downloadencrypt')&&$files['name']!=getConfig('passfile')) ) return output('', 302, [ 'Location' => $files[$_SERVER['DownurlStrName']] ]);
+        }
+        if ( isset($files['folder']) || isset($files['file']) ) {
+            return render_list($path, $files);
+        } else {
+            if (!isset($files['error'])) {
+                $files['error']['message'] = json_encode($files, JSON_PRETTY_PRINT);
+                $files['error']['code'] = 'unknownError';
+                $files['error']['stat'] = 500;
+            }
+            return message('<a href="'.$_SERVER['base_path'].'">'.getconstStr('Back').getconstStr('Home').'</a><div style="margin:8px;"><pre>' . $files['error']['message'] . '</pre></div><a href="javascript:history.back(-1)">'.getconstStr('Back').'</a>', $files['error']['code'], $files['error']['stat']);
+        }
+    }
+}
+
+function get_access_token($refresh_token)
+{
+    if (getConfig('Drive_ver')=='shareurl') {
+        $shareurl = getConfig('shareurl');
+        $tmp1 = splitlast($shareurl, '/')[0];
+        $account = splitlast($tmp1, '/')[1];
+        $tmp1 = splitlast($shareurl, ':')[0];
+        $domain = splitlast($tmp1, '/')[0];
+        if (!isset($_SERVER['sharecookie'])||$_SERVER['sharecookie']=='') $_SERVER['sharecookie'] = curl_request($shareurl,false, [],1)['returnhead']['Set-Cookie'];
+        $response = curl_request(
+            $domain . "/personal/" . $account . "/_api/web/GetListUsingPath(DecodedUrl=@a1)/RenderListDataAsStream?@a1='" . urlencode("/personal/" . $account . "/Documents") . "'&RootFolder=" . urlencode("/personal/" . $account . "/Documents/") . "&TryNewExperienceSingle=TRUE",
+            '{"parameters":{"__metadata":{"type":"SP.RenderListDataParameters"},"RenderOptions":136967,"AllowMultipleValueFilterForTaxonomyFields":true,"AddRequiredFields":true}}',
+            [ 'Accept' => 'application/json;odata=verbose', 'Content-Type' => 'application/json;odata=verbose', 'origin' => $domain, 'Cookie' => $_SERVER['sharecookie'] ]
+        );
+        if ($response['stat']==200) $ret = json_decode($response['body'], true);
+        $_SERVER['access_token'] = splitlast($ret['ListSchema']['.driveAccessToken'],'=')[1];
+        $_SERVER['api_url'] = $ret['ListSchema']['.driveUrl'].'/root';
+        if (!$_SERVER['access_token']) {
+            error_log($domain . "/personal/" . $account . "/_api/web/GetListUsingPath(DecodedUrl=@a1)/RenderListDataAsStream?@a1='" . urlencode("/personal/" . $account . "/Documents") . "'&RootFolder=" . urlencode("/personal/" . $account . "/Documents/") . "&TryNewExperienceSingle=TRUE");
+            error_log('failed to get share access_token. response' . json_encode($ret));
+            throw new Exception($response['stat'].', failed to get share access_token.'.$response['body']);
+        }
+        error_log('Get access token:'.json_encode($ret, JSON_PRETTY_PRINT));
+        savecache('access_token', $_SERVER['access_token']);
+        if (getConfig('sharecookie')==''||getConfig('shareapiurl')=='') setConfig([ 'sharecookie' => $_SERVER['sharecookie'], 'shareapiurl' => $_SERVER['api_url'] ]);
+    } else {
+        $response = curl_request( $_SERVER['oauth_url'] . 'token', 'client_id='. $_SERVER['client_id'] .'&client_secret='. $_SERVER['client_secret'] .'&grant_type=refresh_token&requested_token_use=on_behalf_of&refresh_token=' . $refresh_token );
+        if ($response['stat']==200) $ret = json_decode($response['body'], true);
+        if (!isset($ret['access_token'])) {
+            error_log($_SERVER['oauth_url'] . 'token'.'?client_id='. $_SERVER['client_id'] .'&client_secret='. $_SERVER['client_secret'] .'&grant_type=refresh_token&requested_token_use=on_behalf_of&refresh_token=' . $refresh_token);
+            error_log('failed to get access_token. response' . json_encode($ret));
+            throw new Exception($response['stat'].', failed to get access_token.'.$response['body']);
+        }
+        error_log('Get access token:'.json_encode($ret, JSON_PRETTY_PRINT));
+        $_SERVER['access_token'] = $ret['access_token'];
+        savecache('access_token', $_SERVER['access_token'], $ret['expires_in'] - 300);
+        if (time()>getConfig('token_expires')) setConfig([ 'refresh_token' => $ret['refresh_token'], 'token_expires' => time()+7*24*60*60 ]);
+    }
+}
+
+function list_files($path)
+{
+    $path = path_format($path);
+    if ($_SERVER['is_guestup_path']&&!$_SERVER['admin']) {
+        $files = json_decode('{"folder":{}}', true);
+    } elseif (!getConfig('downloadencrypt')) {
+        if ($_SERVER['ishidden']==4) $files = json_decode('{"folder":{}}', true);
+        else $files = fetch_files($path);
+    } else {
+        $files = fetch_files($path);
+    }
+    return $files;
+}
+
 function isHideFile($name)
 {
     $FunctionalityFile = [
@@ -115,14 +344,12 @@ function isHideFile($name)
 
 function getcache($str)
 {
-    //$cache = null;
     $cache = new \Doctrine\Common\Cache\FilesystemCache(sys_get_temp_dir(), __DIR__.'/Onedrive/'.$_SERVER['disktag']);
     return $cache->fetch($str);
 }
 
 function savecache($key, $value, $exp = 1800)
 {
-    //$cache = null;
     $cache = new \Doctrine\Common\Cache\FilesystemCache(sys_get_temp_dir(), __DIR__.'/Onedrive/'.$_SERVER['disktag']);
     $cache->save($key, $value, $exp);
 }
@@ -139,6 +366,12 @@ function config_oauth()
     $_SERVER['sitename'] = getConfig('sitename');
     if (empty($_SERVER['sitename'])) $_SERVER['sitename'] = getconstStr('defaultSitename');
     $_SERVER['redirect_uri'] = 'https://scfonedrive.github.io';
+    if (getConfig('Drive_ver')=='shareurl') {
+        $_SERVER['api_url'] = getConfig('shareapiurl');
+        $_SERVER['sharecookie'] = getConfig('sharecookie');
+        $_SERVER['DownurlStrName'] = '@content.downloadUrl';
+        return 0;
+    }
     if (getConfig('Drive_ver')=='MS') {
         // MS
         // https://portal.azure.com
@@ -169,6 +402,7 @@ function config_oauth()
     }
     $_SERVER['client_secret'] = urlencode($_SERVER['client_secret']);
     $_SERVER['scope'] = urlencode($_SERVER['scope']);
+    $_SERVER['DownurlStrName'] = '@microsoft.graph.downloadUrl';
 }
 
 function get_siteid($access_token)
@@ -180,8 +414,6 @@ function get_siteid($access_token)
     while ($url!=''&&$response['stat']!=200&&$i<4) {
         $response = curl_request($url, false, ['Authorization' => 'Bearer ' . $access_token]);
         $i++;
-        //echo 'https://graph.microsoft.com/v1.0/sites/root:/sites/'.getConfig('sharepointname').$response['stat'].$response['body'].'
-        //';
     }
     if ($response['stat']!=200) {
         error_log('failed to get siteid. response' . json_encode($response));
@@ -251,7 +483,9 @@ function equal_replace($str, $add = false)
 
 function is_guestup_path($path)
 {
-    if (path_format('/'.path_format(urldecode($_SERVER['list_path'].path_format($path))).'/')==path_format('/'.path_format(getConfig('guestup_path')).'/')&&getConfig('guestup_path')!='') return 1;
+    $a1 = path_format(path_format(urldecode($_SERVER['list_path'].path_format($path))).'/');
+    $a2 = path_format(path_format(getConfig('guestup_path')).'/');
+    if (getConfig('guestup_path')!=''&&strtolower($a1)==strtolower($a2)) return 1;
     return 0;
 }
 
@@ -336,7 +570,7 @@ function gethiddenpass($path,$passfile)
         $ispassfile = fetch_files(path_format($path . '/' . urlencode($passfile)));
         //echo $path . '<pre>' . json_encode($ispassfile, JSON_PRETTY_PRINT) . '</pre>';
         if (isset($ispassfile['file'])) {
-            $arr = curl_request($ispassfile['@microsoft.graph.downloadUrl']);
+            $arr = curl_request($ispassfile[$_SERVER['DownurlStrName']]);
             if ($arr['stat']==200) {
                 $passwordf=explode("\n",$arr['body']);
                 $password=$passwordf[0];
@@ -427,7 +661,7 @@ function message($message, $title = 'Message', $statusCode = 200)
 
 function needUpdate()
 {
-    $current_ver = file_get_contents(__DIR__ . '/../version');
+    $current_ver = file_get_contents(__DIR__ . '/version');
     $current_ver = substr($current_ver, strpos($current_ver, '.')+1);
     $current_ver = explode(urldecode('%0A'),$current_ver)[0];
     $current_ver = explode(urldecode('%0D'),$current_ver)[0];
@@ -526,7 +760,7 @@ function bigfileupload($path)
         $getoldupinfo=fetch_files(path_format($path . '/' . $cachefilename));
         //echo json_encode($getoldupinfo, JSON_PRETTY_PRINT);
         if (isset($getoldupinfo['file'])&&$getoldupinfo['size']<5120) {
-            $getoldupinfo_j = curl_request($getoldupinfo['@microsoft.graph.downloadUrl']);
+            $getoldupinfo_j = curl_request($getoldupinfo[$_SERVER['DownurlStrName']]);
             $getoldupinfo = json_decode($getoldupinfo_j['body'], true);
             if ( json_decode( curl_request($getoldupinfo['uploadUrl'])['body'], true)['@odata.context']!='' ) return output($getoldupinfo_j['body'], $getoldupinfo_j['stat']);
         }
@@ -541,194 +775,6 @@ function bigfileupload($path)
     return output('error', 400);
 }
 
-function main($path)
-{
-    global $exts;
-    global $constStr;
-//echo 'main.enterpath:'.$path.'
-//';
-    if (isset($_COOKIE['language'])) $constStr['language'] = $_COOKIE['language'];
-    if (!$constStr['language']) $constStr['language'] = getConfig('language');
-    if ($constStr['language']=='') $constStr['language'] = 'en-us';
-    $_SERVER['language'] = $constStr['language'];
-    $_SERVER['PHP_SELF'] = path_format($_SERVER['base_path'] . $path);
-
-    if (getConfig('admin')=='') return install();
-    if (getConfig('adminloginpage')=='') {
-        $adminloginpage = 'admin';
-    } else {
-        $adminloginpage = getConfig('adminloginpage');
-    }
-    if (isset($_GET[$adminloginpage])) {
-        if (isset($_GET['preview'])) {
-            $url = $_SERVER['PHP_SELF'] . '?preview';
-        } else {
-            $url = path_format($_SERVER['PHP_SELF'] . '/');
-        }
-        if (getConfig('admin')!='') {
-            if ($_POST['password1']==getConfig('admin')) {
-                return adminform('admin',md5($_POST['password1']),$url);
-            } else return adminform();
-        } else {
-            return output('', 302, [ 'Location' => $url ]);
-        }
-    }
-    if (getConfig('admin')!='')
-        if ( (isset($_COOKIE['admin'])&&$_COOKIE['admin']==md5(getConfig('admin'))) || (isset($_POST['password1'])&&$_POST['password1']==getConfig('admin')) ) {
-            $_SERVER['admin']=1;
-            $_SERVER['needUpdate'] = needUpdate();
-        } else {
-            $_SERVER['admin']=0;
-        }
-    if (isset($_GET['setup']))
-        if ($_SERVER['admin']) {
-            // setup Environments. 设置，对环境变量操作
-            return EnvOpt($_SERVER['needUpdate']);
-        } else {
-            $url = path_format($_SERVER['PHP_SELF'] . '/');
-            return output('<script>alert(\''.getconstStr('SetSecretsFirst').'\');</script>', 302, [ 'Location' => $url ]);
-        }
-
-    $_SERVER['base_disk_path'] = $_SERVER['base_path'];
-    $disktags = explode("|",getConfig('disktag'));
-//    echo 'count$disk:'.count($disktags);
-    if (count($disktags)>1) {
-        if ($path=='/'||$path=='') return output('', 302, [ 'Location' => path_format($_SERVER['base_path'].'/'.$disktags[0].'/') ]);
-        $_SERVER['disktag'] = $path;
-        $pos = strpos($path, '/');
-        if ($pos>1) $_SERVER['disktag'] = substr($path, 0, $pos);
-        if (!in_array($_SERVER['disktag'], $disktags)) return message('<meta http-equiv="refresh" content="2;URL='.$_SERVER['base_path'].'">Please visit from <a href="'.$_SERVER['base_path'].'">Home Page</a>.', 'Error', 404);
-        $path = substr($path, strlen('/'.$_SERVER['disktag']));
-        if ($_SERVER['disktag']!='') $_SERVER['base_disk_path'] = path_format($_SERVER['base_disk_path']. '/' . $_SERVER['disktag'] . '/');
-    } else $_SERVER['disktag'] = $disktags[0];
-//    echo 'main.disktag:'.$_SERVER['disktag'].'，path:'.$path.'
-//';
-    $_SERVER['list_path'] = getListpath($_SERVER['HTTP_HOST']);
-    if ($_SERVER['list_path']=='') $_SERVER['list_path'] = '/';
-    $_SERVER['is_guestup_path'] = is_guestup_path($path);
-    $_SERVER['ajax']=0;
-    if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) if ($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest') $_SERVER['ajax']=1;
-
-    config_oauth();
-    if ($_SERVER['admin']) if (isset($_GET['AddDisk'])||isset($_GET['authorization_code'])) return get_refresh_token();
-    $refresh_token = getConfig('refresh_token');
-    //if (!$refresh_token) return get_refresh_token();
-    if (!$refresh_token) {
-        return render_list();
-    } else {
-        if (!($_SERVER['access_token'] = getcache('access_token'))) {
-            $response = curl_request( $_SERVER['oauth_url'] . 'token', 'client_id='. $_SERVER['client_id'] .'&client_secret='. $_SERVER['client_secret'] .'&grant_type=refresh_token&requested_token_use=on_behalf_of&refresh_token=' . $refresh_token );
-            if ($response['stat']==200) $ret = json_decode($response['body'], true);
-            if (!isset($ret['access_token'])) {
-                error_log($_SERVER['oauth_url'] . 'token'.'?client_id='. $_SERVER['client_id'] .'&client_secret='. $_SERVER['client_secret'] .'&grant_type=refresh_token&requested_token_use=on_behalf_of&refresh_token=' . $refresh_token);
-                error_log('failed to get access_token. response' . json_encode($ret));
-                throw new Exception($response['stat'].', failed to get access_token.'.$response['body']);
-            }
-            error_log('Get access token:'.json_encode($ret, JSON_PRETTY_PRINT));
-            $_SERVER['access_token'] = $ret['access_token'];
-            savecache('access_token', $_SERVER['access_token'], $ret['expires_in'] - 300);
-            if (time()>getConfig('token_expires')) setConfig([ 'refresh_token' => $ret['refresh_token'], 'token_expires' => time()+7*24*60*60 ]);
-        }
-
-        if ($_SERVER['ajax']) {
-            if ($_GET['action']=='del_upload_cache'&&substr($_GET['filename'],-4)=='.tmp') {
-                // del '.tmp' without login. 无需登录即可删除.tmp后缀文件
-                error_log('del.tmp:GET,'.json_encode($_GET,JSON_PRETTY_PRINT));
-                $tmp = MSAPI('DELETE',path_format(path_format($_SERVER['list_path'] . path_format($path)) . '/' . spurlencode($_GET['filename']) ),'',$_SERVER['access_token']);
-                $path1 = path_format($_SERVER['list_path'] . path_format($path));
-                if ($path1!='/'&&substr($path1,-1)=='/') $path1=substr($path1,0,-1);
-                savecache('path_' . $path1, json_decode('{}',true), 1);
-                return output($tmp['body'],$tmp['stat']);
-            }
-            if ($_GET['action']=='uploaded_rename') {
-                // rename .scfupload file without login.
-                // 无需登录即可重命名.scfupload后缀文件，filemd5为用户提交，可被构造，问题不大，以后处理
-                $oldname = spurlencode($_GET['filename']);
-                $pos = strrpos($oldname, '.');
-                if ($pos>0) $ext = strtolower(substr($oldname, $pos));
-                $oldname = path_format(path_format($_SERVER['list_path'] . path_format($path)) . '/' . $oldname . '.scfupload' );
-                $data = '{"name":"' . $_GET['filemd5'] . $ext . '"}';
-                //echo $oldname .'<br>'. $data;
-                $tmp = MSAPI('PATCH',$oldname,$data,$_SERVER['access_token']);
-                if ($tmp['stat']==409) {
-                    MSAPI('DELETE',$oldname,'',$_SERVER['access_token']);
-                    $tmpbody = json_decode($tmp['body'], true);
-                    $tmpbody['name'] = $_GET['filemd5'] . $ext;
-                    $tmp['body'] = json_encode($tmpbody);
-                }
-                $path1 = path_format($_SERVER['list_path'] . path_format($path));
-                if ($path1!='/'&&substr($path1,-1)=='/') $path1=substr($path1,0,-1);
-                savecache('path_' . $path1, json_decode('{}',true), 1);
-                return output($tmp['body'],$tmp['stat']);
-            }
-            if ($_GET['action']=='upbigfile') return bigfileupload($path);
-        }
-        if ($_SERVER['admin']) {
-            $tmp = adminoperate($path);
-            if ($tmp['statusCode'] > 0) {
-                $path1 = path_format($_SERVER['list_path'] . path_format($path));
-                if ($path1!='/'&&substr($path1,-1)=='/') $path1=substr($path1,0,-1);
-                savecache('path_' . $path1, json_decode('{}',true), 1);
-                return $tmp;
-            }
-        } else {
-            if ($_SERVER['ajax']) return output(getconstStr('RefreshtoLogin'),401);
-        }
-        $_SERVER['ishidden'] = passhidden($path);
-        if (isset($_GET['thumbnails'])) {
-            if ($_SERVER['ishidden']<4) {
-                if (in_array(strtolower(substr($path, strrpos($path, '.') + 1)), $exts['img'])) {
-                    return get_thumbnails_url($path);
-                } else return output(json_encode($exts['img']),400);
-            } else return output('',401);
-        }
-
-        $files = list_files($path);
-        //echo json_encode(array_keys($files['children']), JSON_PRETTY_PRINT);
-        if (isset($_GET['random'])&&$_GET['random']!=='') {
-            if ($_SERVER['ishidden']<4) {
-                $tmp = [];
-                foreach (array_keys($files['children']) as $filename) {
-                    if (strtolower(splitlast($filename,'.')[1])==strtolower($_GET['random'])) $tmp[$filename] = $files['children'][$filename]['@microsoft.graph.downloadUrl'];
-                }
-                $tmp = array_values($tmp);
-                if (count($tmp)>0) {
-            if (isset($_GET['url'])) return output($tmp[rand(0,count($tmp)-1)], 200);
-            return output('', 302, [ 'Location' => $tmp[rand(0,count($tmp)-1)] ]);
-                } else return output('',404);
-            } else return output('',401);
-        }
-        if (isset($files['file']) && !isset($_GET['preview'])) {
-            // is file && not preview mode
-            if ( $_SERVER['ishidden']<4 || (!!getConfig('downloadencrypt')&&$files['name']!=getConfig('passfile')) ) return output('', 302, [ 'Location' => $files['@microsoft.graph.downloadUrl'] ]);
-        }
-        if ( isset($files['folder']) || isset($files['file']) ) {
-            return render_list($path, $files);
-        } else {
-            if (!isset($files['error'])) {
-                $files['error']['message'] = json_encode($files, JSON_PRETTY_PRINT);
-                $files['error']['code'] = 'unknownError';
-                $files['error']['stat'] = 500;
-            }
-            return message('<a href="'.$_SERVER['base_path'].'">'.getconstStr('Back').getconstStr('Home').'</a><div style="margin:8px;"><pre>' . $files['error']['message'] . '</pre></div><a href="javascript:history.back(-1)">'.getconstStr('Back').'</a>', $files['error']['code'], $files['error']['stat']);
-        }
-    }
-}
-
-function list_files($path)
-{
-    $path = path_format($path);
-    if ($_SERVER['is_guestup_path']&&!$_SERVER['admin']) {
-        $files = json_decode('{"folder":{}}', true);
-    } elseif (!getConfig('downloadencrypt')) {
-        if ($_SERVER['ishidden']==4) $files = json_decode('{"folder":{}}', true);
-        else $files = fetch_files($path);
-    } else {
-        $files = fetch_files($path);
-    }
-    return $files;
-}
-
 function adminform($name = '', $pass = '', $path = '')
 {
     $statusCode = 401;
@@ -891,18 +937,36 @@ function adminoperate($path)
     return $tmparr;
 }
 
+function splitfirst($str, $split)
+{
+    $len = strlen($split);
+    $pos = strpos($str, $split);
+    if ($pos===false) {
+        $tmp[0] = $str;
+        $tmp[1] = '';
+    } elseif ($pos>0) {
+        $tmp[0] = substr($str, 0, $pos);
+        $tmp[1] = substr($str, $pos+$len);
+    } else {
+        $tmp[0] = '';
+        $tmp[1] = substr($str, $len);
+    }
+    return $tmp;
+}
+
 function splitlast($str, $split)
 {
+    $len = strlen($split);
     $pos = strrpos($str, $split);
     if ($pos===false) {
         $tmp[0] = $str;
         $tmp[1] = '';
     } elseif ($pos>0) {
         $tmp[0] = substr($str, 0, $pos);
-        $tmp[1] = substr($str, $pos+1);
+        $tmp[1] = substr($str, $pos+$len);
     } else {
         $tmp[0] = '';
-        $tmp[1] = substr($str, 1);
+        $tmp[1] = substr($str, $len);
     }
     return $tmp;
 }
@@ -990,10 +1054,10 @@ function fetch_files($path = '/')
         if ($parentpath=='') $parentpath = '/';
         $filename = $pos[1];
         if ($parentfiles = getcache('path_' . $parentpath)) {
-            if (isset($parentfiles['children'][$filename]['@microsoft.graph.downloadUrl'])) {
+            if (isset($parentfiles['children'][$filename][$_SERVER['DownurlStrName']])) {
                 if (in_array(splitlast($filename,'.')[1], $exts['txt'])) {
                     if (!(isset($parentfiles['children'][$filename]['content'])&&$parentfiles['children'][$filename]['content']['stat']==200)) {
-                        $content1 = curl_request($parentfiles['children'][$filename]['@microsoft.graph.downloadUrl']);
+                        $content1 = curl_request($parentfiles['children'][$filename][$_SERVER['DownurlStrName']]);
                         $parentfiles['children'][$filename]['content'] = $content1;
                         savecache('path_' . $parentpath, $parentfiles);
                     }
@@ -1007,16 +1071,222 @@ function fetch_files($path = '/')
             $url .= ':' . $path;
             if (substr($url,-1)=='/') $url=substr($url,0,-1);
         }
-        $url .= '?expand=children(select=name,size,file,folder,parentReference,lastModifiedDateTime,@microsoft.graph.downloadUrl)';
+        $url .= '?expand=children(select=name,size,file,folder,parentReference,lastModifiedDateTime,'.$_SERVER['DownurlStrName'].')';
         $retry = 0;
         $arr = [];
         while ($retry<3&&!$arr['stat']) {
-            $arr = curl_request($url, false, ['Authorization' => 'Bearer ' . $_SERVER['access_token']]);
+                $arr = curl_request($url, false, ['Authorization' => 'Bearer ' . $_SERVER['access_token']],1);
             $retry++;
         }
         if ($arr['stat']<500) {
             $files = json_decode($arr['body'], true);
-            // echo $path . '<br><pre>' . json_encode($files, JSON_PRETTY_PRINT) . '</pre>';
+            //echo $path . '<br><pre>' . json_encode($arr, JSON_PRETTY_PRINT) . '</pre>';
+            if (isset($files['folder'])) {
+                if ($files['folder']['childCount']>200) {
+                    // files num > 200 , then get nextlink
+@@ -1072,7 +1136,7 @@ function fetch_files_children($files, $path, $page)
+        // down cache file get jump info. 下载cache文件获取跳页链接
+        $cachefile = fetch_files(path_format($path1 . '/' .$cachefilename));
+        if ($cachefile['size']>0) {
+            $pageinfo = curl_request($cachefile[$_SERVER['DownurlStrName']])['body'];
+            $pageinfo = json_decode($pageinfo,true);
+            for ($page4=1;$page4<$maxpage;$page4++) {
+                savecache('nextlink_' . $path . '_page_' . $page4, $pageinfo['nextlink_' . $path . '_page_' . $page4]);
+@@ -1089,9 +1153,9 @@ function fetch_files_children($files, $path, $page)
+                    if ($path !== '/') {
+                        $url .= ':' . $path;
+                        if (substr($url,-1)=='/') $url=substr($url,0,-1);
+                        $url .= ':/children?$select=name,size,file,folder,parentReference,lastModifiedDateTime,'.$_SERVER['DownurlStrName'];
+                    } else {
+                        $url .= '/children?$select=name,size,file,folder,parentReference,lastModifiedDateTime,'.$_SERVER['DownurlStrName'];
+                    }
+                    $children = json_decode(curl_request($url, false, ['Authorization' => 'Bearer ' . $_SERVER['access_token']])['body'], true);
+                    // echo $url . '<br><pre>' . json_encode($children, JSON_PRETTY_PRINT) . '</pre>';
+@@ -1275,22 +1339,27 @@ function get_refresh_token()
+        }
+    }
+    if (isset($_GET['install0'])) {
+        if ($_POST['disktag_add']!='') {
+            if (in_array($_COOKIE['disktag'], $CommonEnv)) {
+                return message('Do not input ' . $envs . '<br><button onclick="location.href = location.href;">'.getconstStr('Refresh').'</button><script>document.cookie=\'disktag=; path=/\';</script>', 'Error', 201);
+            }
+            $_SERVER['disktag'] = $_COOKIE['disktag'];
+            $tmp['disktag_add'] = $_POST['disktag_add'];
+            $tmp['diskname'] = $_POST['diskname'];
+            $tmp['Drive_ver'] = $_POST['Drive_ver'];
+            if ($_POST['Drive_ver']=='shareurl') {
+                $tmp['shareurl'] = $_POST['shareurl'];
+                $tmp['refresh_token'] = 1;
+            } else {
+            if ($_POST['Drive_custom']=='on') {
+                $tmp['Drive_custom'] = $_POST['Drive_custom'];
+                $tmp['client_id'] = $_POST['client_id'];
+                $tmp['client_secret'] = $_POST['client_secret'];
+            }
+            if ($_POST['usesharepoint']=='on') {
+                $tmp['usesharepoint'] = $_POST['usesharepoint'];
+                $tmp['sharepointname'] = $_POST['sharepointname'];
+            }
+            if ($_POST['Drive_ver']=='shareurl') {
+                $tmp['shareurl'] = $_POST['shareurl'];
+                $tmp['refresh_token'] = 1;
+            } else {
+                if ($_POST['Drive_custom']=='on') {
+                    $tmp['Drive_custom'] = $_POST['Drive_custom'];
+                    $tmp['client_id'] = $_POST['client_id'];
+                    $tmp['client_secret'] = $_POST['client_secret'];
+                }
+                if ($_POST['usesharepoint']=='on') {
+                    $tmp['usesharepoint'] = $_POST['usesharepoint'];
+                    $tmp['sharepointname'] = $_POST['sharepointname'];
+                }
+            }
+            $response = setConfigResponse( setConfig($tmp, $_COOKIE['disktag']) );
+            if (api_error($response)) {
+@@ -1299,6 +1368,7 @@ function get_refresh_token()
+            } else {
+                $title = getconstStr('MayinEnv');
+                $html = getconstStr('Wait') . ' 3s<meta http-equiv="refresh" content="3;URL=' . $url . '?AddDisk&install1">';
+                if ($_POST['Drive_ver']=='shareurl') $html = getconstStr('Wait') . ' 3s<meta http-equiv="refresh" content="3;URL=' . $url . '">';
+            }
+            return message($html, $title, 201);
+        }
+@@ -1317,19 +1387,22 @@ function get_refresh_token()
+        '.getconstStr('OnedriveDiskName').':<input type="text" name="diskname" placeholder="' . getconstStr('EnvironmentsDescription')['diskname'] . '" style="width:100%"><br>
+        <br>
+        <div>
+            <label><input type="radio" name="Drive_ver" value="MS" checked onclick="document.getElementById(\'morecustom\').style.display=\'\';document.getElementById(\'inputshareurl\').style.display=\'none\';">MS: '.getconstStr('DriveVerMS').'</label><br>
+            <label><input type="radio" name="Drive_ver" value="CN" onclick="document.getElementById(\'morecustom\').style.display=\'\';document.getElementById(\'inputshareurl\').style.display=\'none\';">CN: '.getconstStr('DriveVerCN').'</label><br>
+            <label><input type="radio" name="Drive_ver" value="shareurl" onclick="document.getElementById(\'inputshareurl\').style.display=\'\';document.getElementById(\'morecustom\').style.display=\'none\';">shareurl: '.getconstStr('DriveVerShareurl').'</label><br>
+        </div>
+        <br>
+        <div id="inputshareurl" style="display:none;margin:10px 35px">
+            '.getconstStr('UseShareLink').'
+            <input type="text" name="shareurl" style="width:100%" placeholder="https://xxxx.sharepoint.com/:f:/g/personal/xxxxxxxx/mmmmmmmmm?e=XXXX"><br>
+        </div>
+        <div id="morecustom">
+            <label><input type="checkbox" name="Drive_custom" onclick="document.getElementById(\'secret\').style.display=(this.checked?\'\':\'none\');">'.getconstStr('CustomIdSecret').'</label><br>
+            <div id="secret" style="display:none;margin:10px 35px">
+                <a href="'.$app_url.'" target="_blank">'.getconstStr('GetSecretIDandKEY').'</a><br>
+                client_secret:<input type="text" name="client_secret"><br>
+                client_id:<input type="text" name="client_id" placeholder="12345678-90ab-cdef-ghij-klmnopqrstuv"><br>
+            </div>
+            <label><input type="checkbox" name="usesharepoint" onclick="document.getElementById(\'sharepoint\').style.display=(this.checked?\'\':\'none\');">'.getconstStr('UseSharepointInstead').'</label><br>
+            <div id="sharepoint" style="display:none;margin:10px 35px">
+                '.getconstStr('GetSharepointName').'<br>
+@@ -1357,23 +1430,30 @@ function notnull(t)
+                alert(\''.getconstStr('TagFormatAlert').'\');
+                return false;
+            }
+            if (t.Drive_ver.value==\'shareurl\') {
+                if (t.shareurl.value==\'\') {
+                    alert(\'shareurl\');
+                    return false;
+                }
+            } else {
+                if (t.Drive_custom.checked==true) {
+                    if (t.client_secret.value==\'\'||t.client_id.value==\'\') {
+                        alert(\'client_id & client_secret\');
+                        return false;
+                    }
+                }
+                if (t.usesharepoint.checked==true) {
+                    if (t.sharepointname.value==\'\') {
+                        alert(\''.getconstStr('InputSharepointName').'\');
+                        return false;
+                    }
+                }
+            }
+            document.cookie=\'disktag=\'+t.disktag_add.value+\'; path=/\';
+            return true;
+        }
+    </script>';
+    $title = 'Bind Disk';
+    return message($html, $title, 201);
+}
+
+@@ -1386,7 +1466,7 @@ function EnvOpt($needUpdate = 0)
+    asort($ShowedInnerEnv);
+    $html = '<title>OneManager '.getconstStr('Setup').'</title>';
+    if (isset($_POST['updateProgram'])&&$_POST['updateProgram']==getconstStr('updateProgram')) {
+        $response = OnekeyUpate($_POST['auth'], $_POST['project'], $_POST['branch']);
+        if (api_error($response)) {
+            $html = api_error_msg($response);
+            $title = 'Error';
+@@ -1436,22 +1516,7 @@ function EnvOpt($needUpdate = 0)
+    $html .= '
+<a href="'.$preurl.'">'.getconstStr('Back').'</a>&nbsp;&nbsp;&nbsp;<a href="'.$_SERVER['base_path'].'">'.getconstStr('Back').getconstStr('Home').'</a><br>
+<a href="https://github.com/qkqpttgf/OneManager-php">Github</a><br>';
+		
+    $html .= '
+<table border=1 width=100%>
+    <form name="common" action="" method="post">
+@@ -1480,7 +1545,7 @@ function EnvOpt($needUpdate = 0)
+            <td><label>' . $key . '</label></td>
+            <td width=100%>
+                <select name="' . $key .'">
+                    <option value=""></option>';
+            foreach ($theme_arr as $v1) {
+                if ($v1!='.' && $v1!='..') $html .= '
+                    <option value="'.$v1.'" '.($v1==getConfig($key)?'selected="selected"':'').'>'.$v1.'</option>';
+@@ -1543,6 +1608,56 @@ function EnvOpt($needUpdate = 0)
+        }
+    }
+    $html .= '
+<a href="?AddDisk">'.getconstStr('AddDisk').'</a><br><br>';
+    if (!((isset($_SERVER['USER'])&&$_SERVER['USER']==='qcloud')||(isset($_SERVER['HEROKU_APP_DIR'])&&$_SERVER['HEROKU_APP_DIR']==='/app'))) {
+        $html .= '
+'.getconstStr('VPSnotupdate').'<br>';
+    } else {
+        $html .= '
+<form name="updateform" action="" method="post">
+    <input type="text" name="auth" placeholder="auth" value="qkqpttgf">
+    <input type="text" name="project" placeholder="project" value="OneManager-php">
+    <button onclick="querybranchs();return false">'.getconstStr('QueryBranchs').'</button>
+    <!--<input type="text" name="branch" placeholder="branch" value="master">-->
+    <select name="branch">
+        <option value="master">master</option>
+    </select>
+    <input type="submit" name="updateProgram" value="'.getconstStr('updateProgram').'">
+</form>
+<script>
+    function querybranchs()
+    {
+        //alert(document.updateform.auth.value);
+        var xhr = new XMLHttpRequest();
+        xhr.open("GET", "https://api.github.com/repos/"+document.updateform.auth.value+"/"+document.updateform.project.value+"/branches");
+        //xhr.setRequestHeader("User-Agent","qkqpttgf/OneManager");
+        xhr.send(null);
+        xhr.onload = function(e){
+            console.log(xhr.responseText+","+xhr.status);
+            if (xhr.status==200) {
+                document.updateform.branch.options.length=0;
+                JSON.parse(xhr.responseText).forEach( function (e) {
+                    //alert(e.name);
+                    document.updateform.branch.options.add(new Option(e.name,e.name));
+                    if ("master"==e.name) document.updateform.branch.options[document.updateform.branch.options.length-1].selected = true; 
+                });
+            } else {
+                alert(xhr.responseText+"\n"+xhr.status);
+            }
+        }
+        xhr.onerror = function(e){
+            alert("Network Error "+xhr.status);
+        }
+    }
+</script>
+';
+    }
+    if ($needUpdate) {
+        $html .= '<div style="position:relative;word-wrap: break-word;">
+        ' . str_replace("\r", '<br>',$_SERVER['github_version']) . '
+</div>';
+    } else {
+        $html .= getconstStr('NotNeedUpdate');
+    }
+    return message($html, getconstStr('Setup'));
+}
+
             if (isset($files['folder'])) {
                 if ($files['folder']['childCount']>200) {
                     // files num > 200 , then get nextlink