470,848 Members | 1,887 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,848 developers. It's quick & easy.

Download

Rod
Hi,

I have a script that download any file to the user according to the
parameters.
I call the script like this:
download.php?file=xxx/myfile.doc&file_short=myfile.doc

My script is working fine except with N4.7
It opens the download box, but the name is download.php instead of
myfile.doc
I found the same bug with N7 on the Net. The workaround is to call the
script with "/" :
download.php/?file=xxx/myfile.doc&file_short=myfile.doc

It solves the problem with N7, but with N4.7, the only difference is with
the name. Now it is :
download_php.htm

If I specify the content type related to the file, it works fine. But I
can't do that because the file type can be anything.
It can be a word, excel or pdf file etc etc
Do you have any idea or a script to automatically set the content-type
according to the file extension ?

here is my script:
Header("Content-Type: application/octet-stream");
Header("Content-Length: ".filesize($_GET['file']));
Header("Content-Disposition: attachment; filename=".$_GET['file_short']);
readfile($_GET['file']);

Many thanks nad sorry for this bad english

Rod

Jul 16 '05 #1
3 2869
On Tue, 16 Sep 2003 11:37:40 +0200 in
<message-id:bk**********@home.itg.ti.com>
"Rod" <to**@toto.com> wrote:
Hi,

I have a script that download any file to the user according to the
parameters.
I call the script like this:
download.php?file=xxx/myfile.doc&file_short=myfile.doc

[ snip ]

here is my script:
Header("Content-Type: application/octet-stream");
Header("Content-Length: ".filesize($_GET['file']));
Header("Content-Disposition: attachment;
filename=".$_GET['file_short']); readfile($_GET['file']);

Many thanks nad sorry for this bad english

Rod

Don't know what the problem is, but have you not thought about
security!?!?
download.php?file=/etc/passwd&file_short=passwd

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.
Jul 16 '05 #2
Rod
Hi,

thanks you for your answer.
Actually, I found the problem.
The real filenames contain space so you need to use the URLENCODE function
before calling the download.php script.
Otherwise, the $GET function returns an empty string when trying to get the
parameters. (only with N4.7)

Regarding the security, your're right!
Actually, what I did is an application that browse a specific directory with
all its sub-directories.
When the user clickes on a file within a directory, it is downloaded.
I think I should check that there are no ".." characters in the filename to
be sure the file is in a sub-directory of the main directory.
Do you think it is enough?
any idea?
thanks again

Rod
"Ian.H [dS]" <ia*@WINDOZEdigiserv.net> wrote in message
news:20030916124658.5a8f51c8.ia*@WINDOZEdigiserv.n et...
On Tue, 16 Sep 2003 11:37:40 +0200 in
<message-id:bk**********@home.itg.ti.com>
"Rod" <to**@toto.com> wrote:
Hi,

I have a script that download any file to the user according to the
parameters.
I call the script like this:
download.php?file=xxx/myfile.doc&file_short=myfile.doc

[ snip ]

here is my script:
Header("Content-Type: application/octet-stream");
Header("Content-Length: ".filesize($_GET['file']));
Header("Content-Disposition: attachment;
filename=".$_GET['file_short']); readfile($_GET['file']);

Many thanks nad sorry for this bad english

Rod

Don't know what the problem is, but have you not thought about
security!?!?
download.php?file=/etc/passwd&file_short=passwd

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

Jul 16 '05 #3
On Tue, 16 Sep 2003 14:03:34 +0200 in
<message-id:bk**********@home.itg.ti.com>
"Rod" <to**@toto.com> wrote:
Hi,

thanks you for your answer.
Actually, I found the problem.
The real filenames contain space so you need to use the URLENCODE
function before calling the download.php script.
Otherwise, the $GET function returns an empty string when trying to
get the parameters. (only with N4.7)

Ahh interesting Rod, but it makes sense. I personally try and avoid
files with spaces like the plague, and use a _ (underscore) instead
(file_name.txt etc).. althoguh this might not be an option for you
(depending on the nature of your site).


Regarding the security, your're right!
Actually, what I did is an application that browse a specific
directory with all its sub-directories.
When the user clickes on a file within a directory, it is downloaded.
I think I should check that there are no ".." characters in the
filename to be sure the file is in a sub-directory of the main
directory. Do you think it is enough?
any idea?
thanks again

Are you the admin of the server Rod? If so, it migt be worth thinking
about the safemode and open_basedir options in php.ini which will hyelp
you define what dirs a script can access. You need to define an
"absolute base" somewhere safe.. even if it's a directory like:
'/foo/repository'. Let them browse 'til their heart's content, but don't
let them out of it. Again, this might not be a possability, I really
don't know the nature of your script or what kind of filesystem access
you're giving people or what they need.

Checking for '.' and '..' are important.. something like:
if (substr($file, 0, 1) != '.' || substr($file, 0, 2) != '..') {
/* display non . | .. directories and non dotfiles (.htaccess) */
}
Assumptions made here with $file for demo purposes, but this is how I
at least start with scripts that read directory contents.

I'm writing a filemanager for a Web control panel app I'm coding, this
will be defined as the users Webroot dir as the base
(/home/someone/html). They'll be able to browse any files / dirs within
there (including dotfiles as they'll own them) but they won't be able to
access '/home/someone' for example. This prevents them "leaking" around
the rest of the file system too.

</2p_worth>

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.
Jul 16 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Buddy Ackerman | last post: by
3 posts views Thread by Nathan Sokalski | last post: by
1 post views Thread by a.r.austin | last post: by
1 post views Thread by JayLembeck | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.