php causing high load on server

[mezerik]

Hi, i'm new here and have a straightforward question.

 

On a server I use I have this script and we use it to force the download of mp3 files on a single click of a link. (Avoid opening in an internet audio buffering plug in or application)

 

<?php

$filename = $_GET['file'];

// required for IE, otherwise Content-disposition is ignored
if(ini_get('zlib.output_compression'))
  ini_set('zlib.output_compression', 'Off');

// addition by Jorg Weske
$file_extension = strtolower(substr(strrchr($filename,"."),1));

if( $filename == "" ) 
{
  echo "<html><title>Download Script</title><body>ERROR: download file NOT SPECIFIED. USE force-download.php?file=filepath</body></html>";
  exit;
} elseif ( ! file_exists( $filename ) ) 
{
  echo "<html><title>Download Script</title><body>ERROR: File not found. USE force-download.php?file=filepath</body></html>";
  exit;
};
switch( $file_extension )
{
  case "pdf": $ctype="application/pdf"; break;
  case "exe": $ctype="application/octet-stream"; break;
  case "zip": $ctype="application/zip"; break;
  case "doc": $ctype="application/msword"; break;
  case "xls": $ctype="application/vnd.ms-excel"; break;
  case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
  case "gif": $ctype="image/gif"; break;
  case "png": $ctype="image/png"; break;
    case "mp3": $ctype="audio/mpeg3"; break;
  case "jpeg":
  case "jpg": $ctype="image/jpg"; break;
  default: $ctype="application/force-download";
}
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers 
header("Content-Type: $ctype");
// change, added quotes to allow spaces in filenames, by Rajkumar Singh
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");
exit();

?>

 

I recently got an email from my service provider quoting the following

 

Hello,

 

I apologize, but I was forced to suspend the script /home/mezerik/********/forcedownload.php as it was causing a high load on the server, and due to it affecting all of the other accounts on the system, I forced to take immediate action for the health of the server.

 

Unfortunately I do not have any specific recommendations for this script, however, in general, adding some sort of caching mechanism, where the script does not need to generate a new page with every request, helps to lower the over load that a script will cause. Likely the original author or support group of the software that you are using will be able to help you to understand how to add something of this nature.

 

If you reply back to this with your IP address (http://www.******.com/ip.shtml) we will be more than happy to go ahead enable HTTP access for you, so that you can safely work on the script without it causing further issues. Please let us know how you would like to proceed.

 

I am not sure what is wrong with the script and if it is insecure to the server and should be edited or removed.

[requinix]

I don't see how that script could cause high load. Only if it was being used a lot - generating most of the traffic and taking most of the processing time.

 

By the way, that script allows anyone to download any file on your server. MP3 or not. I can just change the file name to anything, like

force-download.php?file=force-download.php

[QuickOldCar]

It's more like whoever is your host is very limiting in what you can do, the services you pay for.

 

"as it was causing a high load on the server", so it was using too much cpu and possibly memory in their eyes.

 

All that is shared across the server depending on how many users they are renting to.

 

This is a very common issue, you get what you pay for, and sometimes not even that.

[PFMaBiSmAd]

Also, if allow_url_fopen is enabled, both file_exists and readfile can operate on files using some of the url wrappers and the posted code could be used to read files from a different server and output them.

 

If allow_url_fopen is enabled, you need to turn if off, if possible, and you should always validate/filter ALL eternal data. If $filename is expected to be only a filename.ext, make sure that's all it is.