skot Posted September 9, 2008 Share Posted September 9, 2008 Hi. I'm trying to convert from using plain old HTML hyperlinks to using PHP to pass a file name to download.php. The problem is the download script passes a file to the browser which is not the complete file name and extension, so the file is not an actual copy of the file on the server.. I don't understand how this is not working, as the same variable {$file['name']} is displayed fine on the page, with the full file name and extension. I suspect that when the variable is passed over to download.php, spaces in file names are interfering, but I need code around this as file names will most likely always contain spaces. Code: echo "<td align=\"center\" background=\"http://bridgey.net/img/row_bg.gif\"><form name=\"download\" method=\"post\" action=\"download.php\"><input name=\"fileName\" type=\"hidden\" value=\"{$file['name']}\"><input type=\"submit\" disabled=\"true\" name=\"Download\" id=\"Download\" value=\"Download\" /></form></td>\n"; Download.php: <?php $fileName = $_POST['fileName']; header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Content-Type: application/force-download"); header("Content-Disposition: attachment; filename=".basename($fileName)); header("Content-Description: File Transfer"); header("Accept-Ranges: bytes"); header("Content-Length: " . filesize($fileName)); @readfile($fileName); ?> Any input would be appreciated. Many thanks. Link to comment https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/ Share on other sites More sharing options...
skot Posted September 9, 2008 Author Share Posted September 9, 2008 Oh and ignore the HTML disabled=true.. I've put that in since. Example file name: http://bridgey.net/music/Storm%20-%20Storm%20%5BHousetrap%20Remix%5D.mp3# Resulting download:- Link to comment https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/#findComment-637638 Share on other sites More sharing options...
discomatt Posted September 9, 2008 Share Posted September 9, 2008 Have you tried echo'ing 'basename( $fileName )' ? You may have to urldecode/encode the result... I'm not entirely sure though. Link to comment https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/#findComment-637650 Share on other sites More sharing options...
vicodin Posted September 9, 2008 Share Posted September 9, 2008 Im pretty sure the file name doesnt include the extention on it... do an echo to make sure the extention is on it... If it is make sure you have the correct path to where the file is. Link to comment https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/#findComment-637653 Share on other sites More sharing options...
skot Posted September 9, 2008 Author Share Posted September 9, 2008 When download.php just echos $fileName, the result is correct, I think: Storm - Storm [Housetrap Remix].mp3. As you can see it's formatted correctly for humans, no %20's or anything.. I'm not sure whether that is the result the script is returning or whether my browser just turned %20's into spaces for me.. Also if I use the following to try to specify the full location, the file that the browser attempts to download is called http__bridgey.net_music_Storm header("Content-Disposition: attachment; filename=http://bridgey.net/music/".basename($fileName)); I wouldn't of thought this was necessary anyway, as download.php and all files that could be downloaded live in the same folder on the server? Correct me if I'm wrong I'm learning here Link to comment https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/#findComment-637950 Share on other sites More sharing options...
lisa71283 Posted September 9, 2008 Share Posted September 9, 2008 You need to carefully check the input string, otherwise that script will open up any file within your account's reach for download. Consider a link such as: http://www.example.net/download.php?fileName=../config/config.inc.php Depending on how your server is configured, somebody might get away with: http://www.example.net/download.php?fileName=/usr/local/apache/conf/httpd.conf If someone wanted to turn that script into an http(s)/ftp proxy, they could do so by passing a URL to the fileName parameter like this: http://www.example.net/download.php?fileName=http://www.hackersite.com/ This would not be good. Such a link could read the un-parsed contents of your configuration file, which could potentially reveal MySQL passwords or other sensitive data. Slashes do not belong in the fileName string, so strip them out. This prevents both directory traversal attacks, and inadvertent proxying by your download script. Furthermore, you should ensure that you are using an absolute path pointing to the file directory, and that the only extension(s) allowed are those that you specify. A quick if (strpos($fileName, '/') >= 0) { die; } will close the hole. Link to comment https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/#findComment-637969 Share on other sites More sharing options...
discomatt Posted September 10, 2008 Share Posted September 10, 2008 When download.php just echos $fileName, the result is correct, I think: Storm - Storm [Housetrap Remix].mp3. As you can see it's formatted correctly for humans, no %20's or anything.. I'm not sure whether that is the result the script is returning or whether my browser just turned %20's into spaces for me.. Looks like you need quotes http://kb.mozillazine.org/Filenames_with_spaces_are_truncated_upon_download Link to comment https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/#findComment-638028 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.