Download

Re: Download

On Tue, 16 Sep 2003 11:37:40 +0200 in
<message-id:bk6lh7$f55$1 @home.itg.ti.co m>
"Rod" <toto@toto.co m> wrote:
[color=blue]
> Hi,
>
> I have a script that download any file to the user according to the
> parameters.
> I call the script like this:
> download.php?fi le=xxx/myfile.doc&file _short=myfile.d oc[/color]


[ snip ]

[color=blue]
> here is my script:
> Header("Content-Type: application/octet-stream");
> Header("Content-Length: ".filesize($_GE T['file']));
> Header("Content-Disposition: attachment;
> filename=".$_GE T['file_short']); readfile($_GET['file']);
>
> Many thanks nad sorry for this bad english
>
> Rod[/color]


Don't know what the problem is, but have you not thought about
security!?!?


download.php?fi le=/etc/passwd&file_sho rt=passwd



Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
Programming, Web design, development & hosting.

Re: Download

Hi,

thanks you for your answer.
Actually, I found the problem.
The real filenames contain space so you need to use the URLENCODE function
before calling the download.php script.
Otherwise, the $GET function returns an empty string when trying to get the
parameters. (only with N4.7)

Regarding the security, your're right!
Actually, what I did is an application that browse a specific directory with
all its sub-directories.
When the user clickes on a file within a directory, it is downloaded.
I think I should check that there are no ".." characters in the filename to
be sure the file is in a sub-directory of the main directory.
Do you think it is enough?
any idea?
thanks again

Rod


"Ian.H [dS]" <ian@WINDOZEdig iserv.net> wrote in message
news:2003091612 4658.5a8f51c8.i an@WINDOZEdigis erv.net...[color=blue]
> On Tue, 16 Sep 2003 11:37:40 +0200 in
> <message-id:bk6lh7$f55$1 @home.itg.ti.co m>
> "Rod" <toto@toto.co m> wrote:
>[color=green]
> > Hi,
> >
> > I have a script that download any file to the user according to the
> > parameters.
> > I call the script like this:
> > download.php?fi le=xxx/myfile.doc&file _short=myfile.d oc[/color]
>
>
> [ snip ]
>
>[color=green]
> > here is my script:
> > Header("Content-Type: application/octet-stream");
> > Header("Content-Length: ".filesize($_GE T['file']));
> > Header("Content-Disposition: attachment;
> > filename=".$_GE T['file_short']); readfile($_GET['file']);
> >
> > Many thanks nad sorry for this bad english
> >
> > Rod[/color]
>
>
> Don't know what the problem is, but have you not thought about
> security!?!?
>
>
> download.php?fi le=/etc/passwd&file_sho rt=passwd
>
>
>
> Regards,
>
> Ian
>
> --
> Ian.H [Design & Development]
> digiServ Network - Web solutions
> www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
> Programming, Web design, development & hosting.[/color]

Re: Download

On Tue, 16 Sep 2003 14:03:34 +0200 in
<message-id:bk6u2p$q29$1 @home.itg.ti.co m>
"Rod" <toto@toto.co m> wrote:
[color=blue]
> Hi,
>
> thanks you for your answer.
> Actually, I found the problem.
> The real filenames contain space so you need to use the URLENCODE
> function before calling the download.php script.
> Otherwise, the $GET function returns an empty string when trying to
> get the parameters. (only with N4.7)[/color]


Ahh interesting Rod, but it makes sense. I personally try and avoid
files with spaces like the plague, and use a _ (underscore) instead
(file_name.txt etc).. althoguh this might not be an option for you
(depending on the nature of your site).

[color=blue]
>
> Regarding the security, your're right!
> Actually, what I did is an application that browse a specific
> directory with all its sub-directories.
> When the user clickes on a file within a directory, it is downloaded.
> I think I should check that there are no ".." characters in the
> filename to be sure the file is in a sub-directory of the main
> directory. Do you think it is enough?
> any idea?
> thanks again[/color]


Are you the admin of the server Rod? If so, it migt be worth thinking
about the safemode and open_basedir options in php.ini which will hyelp
you define what dirs a script can access. You need to define an
"absolute base" somewhere safe.. even if it's a directory like:
'/foo/repository'. Let them browse 'til their heart's content, but don't
let them out of it. Again, this might not be a possability, I really
don't know the nature of your script or what kind of filesystem access
you're giving people or what they need.

Checking for '.' and '..' are important.. something like:


if (substr($file, 0, 1) != '.' || substr($file, 0, 2) != '..') {
/* display non . | .. directories and non dotfiles (.htaccess) */
}


Assumptions made here with $file for demo purposes, but this is how I
at least start with scripts that read directory contents.

I'm writing a filemanager for a Web control panel app I'm coding, this
will be defined as the users Webroot dir as the base
(/home/someone/html). They'll be able to browse any files / dirs within
there (including dotfiles as they'll own them) but they won't be able to
access '/home/someone' for example. This prevents them "leaking" around
the rest of the file system too.

</2p_worth>



Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
Programming, Web design, development & hosting.