Hi,

ich betreue ein Projekt (mit Typo3). Dort haben wir ein Problem mit der download.php. Die Frage habe ich auch schon mal in einem anderen Forum gepostet, dort aber irgendwie keine Antwort mehr erhalten...

für ein Webangebot haben wir eine download.php

Diese würde ich jetzt gerne auf einen bestimmten Ordner plus dessen Unterordner beschränken, nicht dass sich einer die config-Dateien damit holt etc.pp.

Ich bin absoluter php-Noob und habe das Projekt von meinem Vorgänger übernommen mit den abschließenden Worten: achja, die download.php müsste bei gelegenheit mal gefixt werden, im Moment kann man sich damit noch die Config-Dateien mit PW usw. ziehen. Prima

danke für jede Hilfe, auf Wunsch kann ich auch den Inhalt der download.php posten.
Das primäre Ziel ist im Moment, den Download von Videos und pdfs zu erzwingen und sie nicht im Browser zu öffnen.

danke, tobi

ps: hier doch noch die downloadphp:

<?php
(...)
   Released under the GNU General Public License 
   ---------------------------------------------------------------------------------------*/

include ('includes/application_top.php');

// include needed functions
require_once (DIR_FS_INC.'xtc_random_name.inc.php');
require_once (DIR_FS_INC.'xtc_unlink_temp_dir.inc.php');

if (!isset ($_SESSION['customer_id']))
	die;

// Check download.php was called with proper GET parameters
if ((isset ($_GET['order']) && !is_numeric($_GET['order'])) || (isset ($_GET['id']) && !is_numeric($_GET['id']))) {
	die;
}

// Check that order_id, customer_id and filename match
$downloads_query = xtc_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, opd.download_maxdays, opd.download_count, opd.download_maxdays, opd.orders_products_filename from ".TABLE_ORDERS." o, ".TABLE_ORDERS_PRODUCTS." op, ".TABLE_ORDERS_PRODUCTS_DOWNLOAD." opd where o.customers_id = '".$_SESSION['customer_id']."' and o.orders_id = '".(int) $_GET['order']."' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_download_id = '".(int) $_GET['id']."' and opd.orders_products_filename != ''");
if (!xtc_db_num_rows($downloads_query))
	die;
$downloads = xtc_db_fetch_array($downloads_query);
// MySQL 3.22 does not have INTERVAL
list ($dt_year, $dt_month, $dt_day) = explode('-', $downloads['date_purchased_day']);
$download_timestamp = mktime(23, 59, 59, $dt_month, $dt_day + $downloads['download_maxdays'], $dt_year);

// Die if time expired (maxdays = 0 means no time limit)
if (($downloads['download_maxdays'] != 0) && ($download_timestamp <= time()))
	die;
// Die if remaining count is <=0
if ($downloads['download_count'] <= 0)
	die;
// Die if file is not there
if (!file_exists(DIR_FS_DOWNLOAD.$downloads['orders_products_filename']))
	die;

// Now decrement counter
xtc_db_query("update ".TABLE_ORDERS_PRODUCTS_DOWNLOAD." set download_count = download_count-1 where orders_products_download_id = '".(int) $_GET['id']."'");

// Now send the file with header() magic
header("Expires: Mon, 26 Nov 1962 00:00:00 GMT");
header("Last-Modified: ".gmdate("D,d M Y H:i:s")." GMT");
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Content-Type: Application/octet-stream");
header("Content-Length: ".filesize(DIR_FS_DOWNLOAD.$downloads['orders_products_filename']));
header("Content-disposition: attachment; filename=\"".$downloads['orders_products_filename']."\"");

if (DOWNLOAD_BY_REDIRECT == 'true') {
	// This will work only on Unix/Linux hosts
	xtc_unlink_temp_dir(DIR_FS_DOWNLOAD_PUBLIC);
	$tempdir = xtc_random_name();
	umask(0000);
	mkdir(DIR_FS_DOWNLOAD_PUBLIC.$tempdir, 0777);
	symlink(DIR_FS_DOWNLOAD.$downloads['orders_products_filename'], DIR_FS_DOWNLOAD_PUBLIC.$tempdir.'/'.$downloads['orders_products_filename']);
	xtc_redirect(DIR_WS_DOWNLOAD_PUBLIC.$tempdir.'/'.$downloads['orders_products_filename']);
} else {
	// This will work on all systems, but will need considerable resources
	// We could also loop with fread($fp, 4096) to save memory
	readfile(DIR_FS_DOWNLOAD.$downloads['orders_products_filename']);
}
?>

    Koennen Sie seinem Buschungsposten auf English tippen, bitte schoen?

    Could you type your post(s) in English please?

    *** Note: My German is rusty and probably very very terrible 🙁

      Rough translation:

      I care for a project (with Typo3). There we have a problem with download.php. The question I have already times in another forum , there however somehow no more answer received... for a Web offer we have one download.php I would limit these now gladly to a certain file plus its , not that the config files there by gets itself etc.pp. I am absolute php Noob and have the project of my predecessor taken over with the locking words: , which would have download.php at opportunity is times fixed, for the moment one can draw oneself thereby still the Config files with PW etc.. Great I also contents download.php of the posts thank for each assistance, when desired can. The primary goal is for the moment to force the Download of videos and pdfs and not to open it in the Browser. thanks, tobi HP: here nevertheless still downloadphp:

        sry, for any reason I oversight that this forum is in English o_O
        thanks @ god0fgod for the translation.

        The point is: fix the download.php (as posted above) to prevent downloading config-files with this scripts.
        thanks for any help, tobi

          7 days later

          solution: with the help of a friend we added the following:

          function string_begins_with($string, $search)
{
    return (strncmp($string, $search, strlen($search)) == 0);
}


$filename = $_GET['file'];

if(string_begins_with($filename, "..")) {
} else

          workin 😉

          Does anybody know a way to access a higher level then the file is placed without '..' at the beginning?

            Well, they might use an absolute path, e.g. /home/username/public_html/file.php so I would filter out a '/' (and perhaps '\' as well).

              Write a Reply...