Jump to content

Passing a Filename to Download.php

skot

By skot
in PHP Coding Help

 Share

Recommended Posts

skot Member

skot

Posted
Posted

Hi. I'm trying to convert from using plain old HTML hyperlinks to using PHP to pass a file name to download.php. The problem is the download script passes a file to the browser which is not the complete file name and extension, so the file is not an actual copy of the file on the server.. I don't understand how this is not working, as the same variable {$file['name']} is displayed fine on the page, with the full file name and extension. I suspect that when the variable is passed over to download.php, spaces in file names are interfering, but I need code around this as file names will most likely always contain spaces.

 

Code:

echo "<td align=\"center\" background=\"http://bridgey.net/img/row_bg.gif\"><form name=\"download\" method=\"post\" action=\"download.php\"><input name=\"fileName\" type=\"hidden\" value=\"{$file['name']}\"><input type=\"submit\" disabled=\"true\" name=\"Download\" id=\"Download\" value=\"Download\" /></form></td>\n";

 

 

Download.php:

<?php

$fileName = $_POST['fileName'];

header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 

header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=".basename($fileName));

header("Content-Description: File Transfer");
header("Accept-Ranges: bytes");
header("Content-Length: " . filesize($fileName));
@readfile($fileName);

?>

 

Any input would be appreciated. Many thanks.

Link to comment
https://forums.phpfreaks.com/topic/123459-passing-a-filename-to-downloadphp/
Share on other sites
skot Member

skot

Posted
  • Author
Posted

When download.php just echos $fileName, the result is correct, I think: Storm - Storm [Housetrap Remix].mp3. As you can see it's formatted correctly for humans, no %20's or anything.. I'm not sure whether that is the result the script is returning or whether my browser just turned %20's into spaces for me..

 

Also if I use the following to try to specify the full location, the file that the browser attempts to download is called http__bridgey.net_music_Storm

 

header("Content-Disposition: attachment; filename=http://bridgey.net/music/".basename($fileName));

 

I wouldn't of thought this was necessary anyway, as download.php and all files that could be downloaded live in the same folder on the server? Correct me if I'm wrong I'm learning here :)

lisa71283 Newbie

lisa71283

Posted
Posted

You need to carefully check the input string, otherwise that script will open up any file within your account's reach for download.

 

Consider a link such as: http://www.example.net/download.php?fileName=../config/config.inc.php

 

Depending on how your server is configured, somebody might get away with: http://www.example.net/download.php?fileName=/usr/local/apache/conf/httpd.conf

 

If someone wanted to turn that script into an http(s)/ftp proxy, they could do so by passing a URL to the fileName parameter like this: http://www.example.net/download.php?fileName=http://www.hackersite.com/

 

This would not be good.

 

Such a link could read the un-parsed contents of your configuration file, which could potentially reveal MySQL passwords or other sensitive data.

 

Slashes do not belong in the fileName string, so strip them out. This prevents both directory traversal attacks, and inadvertent proxying by your download script. Furthermore, you should ensure that you are using an absolute path pointing to the file directory, and that the only extension(s) allowed are those that you specify.

 

A quick

if (strpos($fileName, '/') >= 0) { die; }

will close the hole.

discomatt Member

discomatt

Posted
Posted

When download.php just echos $fileName, the result is correct, I think: Storm - Storm [Housetrap Remix].mp3. As you can see it's formatted correctly for humans, no %20's or anything.. I'm not sure whether that is the result the script is returning or whether my browser just turned %20's into spaces for me..

 

Looks like you need quotes

 

http://kb.mozillazine.org/Filenames_with_spaces_are_truncated_upon_download

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.