sessions and file downloads

bitwise

I set up a download.php, which yanks files from a dir outside of the web scheme, with the purpose of authenticate them before they are allowed to download the file. It is real important that I get the file name.

Here is the download.php that works great. Pulls the file name just fine.

<?php
define("FILEPATH", "E:\milestesting\");
if(isset($HTTP_GET_VARS["file"])) {
$file_name = $HTTP_GET_VARS["file"];
$file_request = FILEPATH . $file_name;
if(file_exists($file_request)) {
$file_type = filetype($file_request);
$file_size = filesize($file_request);
header("Content-Transfer-Encoding: binary");
header("Content-Type: $file_type");
header("Content-Length: $file_size");
header("Content-Disposition: attachment; filename=$file_name");
//echo($file_name . " " . $file_request . " " . $file_type . " " . $file_size);
readfile($file_request);
} else {
echo("ERROR!!! file does not exists!!");
}
} else {
echo("ERROR!!!! no file specified");
}
?>

however there is also an auto_prepend.inc file which calls session_start() that looks like this.

<?php
session_start();
$current_dir = getcwd();
chdir("..");
$parent_dir = getcwd();
$user_dir = substr(str_replace($parent_dir,'',$current_dir),1);
$user = @$HTTP_SESSION_VARS["verified_user"];
if($user != $user_dir) {
header("Location:http://" . $HTTP_HOST);
}
?>

What I've noticed is that when session_start is called before you pass headers and start file download. you do not get the correct file name (download.php?file=file.txt is what you get.) Has anyone else run into this problem, and if so is there a workaround?

Thanks!

Anon

As far as i can see your function is insecure! the user can doenload any file.

I have the following script:

$allowed_extensions = array ("bin", "dat", "ps", "pdf", "xml", "txt", "doc", "xls", "ppt", "mpg", 
				 "mpeg", "avi", "wav", "mp3", "bmp", "jpg", "gif", "png", "exe", "run", 
				 "zip", "rar", "ace", "tgz", "tar", "gz", "bz2", "jar"); // Create an array, with filetypes, that are allowed to download (this is case-sensitive)
$filename = basename ($resource);
$string_length = strlen  ($filename); // Get length of filename
$last_point    = strrpos ($filename,"."); // Get position of last '.'    

if ($last_point > 0) // Check whether file has any extensions
{
 $extension = substr  ($filename, ($last_point + 1), ($string_length - $last_point - 1)); // Extract the file-extensions
 if (in_array($extension, $allowed_extensions)) // Check whether download of such a filetype is granted
 {
  $filepath = $DOCUMENT_ROOT.$resource;   
  if ((file_exists ($filepath)) && (!strpos ($filepath, ".."))) // Check whether the desired file exists and whether they try request a file above the webserver root
  {
   if (file_exists ($filepath)) // Check whether this file does actually exist
   {    	  
$filesize = filesize ($filepath);
$fp   = fopen ($filepath, "rb");
if ($fp) // Check whether we can open the desired file
{
  header ("Content-Type: application/force-download");
  header ("Content-Length: ".$filesize."");
  header ("Content-Disposition: attachment; filename=".$filename."");
  header ("Content-Transfer-Encoding: binary");
  fpassthru ($fp); 
  flush();
  // fclose ($fp); Keep it outcommented, it generates a error message at the eof
}	
   }
  }
 }
}

Hint: I do a session_start before all that and it works fine.

bitwise

I know that you can use relative path to get around, I know I need to tighten it down, I haven't gotten that far yet. 🙂 I need to get the file name part fixed before I bother with securing it, but I will borrow that script. (gotta love open source) Can you tell me what version of PHP you use? I have 4.1.2, and it happens to me everytime.