first time here. hello. 🙂
to business:
i am using eLouai's Force Download of media files script in order to allow users to download content from my site, but i don't want them to download what they want, only what i let them.
the first method was a 'white list' of file names i allow to download, but that was too hard to maintain.
the method i was told to implement was to put all the files in one directory, and only allow downloads from that directory, my question is if its enough? is there something i missed or overlooked?
here is the complete code i use:
the .php file gets a var using GET (url string):
<?php
function okay_to_download($file){
$files_dir = '/pub/home/user/web/files/';
$real_path = realpath($file);
if ((!($real_path === false)) && (strpos($real_path,$files_dir) === 0))return true;
return false;
}
$filename = $_GET['file'];
// check if file is in allowed path
if (okay_to_download($filename)){
// required for IE, otherwise Content-disposition is ignored
if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');
// addition by Jorg Weske
$file_extension = strtolower(substr(strrchr($filename,"."),1));
if( $filename == "" )
{
echo "<html><title>eLouai's Download Script</title><body>ERROR: download file NOT SPECIFIED. USE force-download.php?file=filepath</body></html>";
exit;
} elseif ( ! file_exists( $filename ) )
{
echo "<html><title>eLouai's Download Script</title><body>ERROR: File not found. USE force-download.php?file=filepath</body></html>";
exit;
};
switch( $file_extension )
{
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
case "php": die("you are not allowed to download this type of files"); // added php extension
default: $ctype="application/force-download";
}
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers
header("Content-Type: $ctype");
// change, added quotes to allow spaces in filenames, by Rajkumar Singh
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");
exit();
} else die("NOT OKAY TO DOWNLOAD");
?>
