Re: Show filenames using Wildcards -- The glob() Solution!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/30/07, Rahul Sitaram Johari <sleepwalker@xxxxxxxxxxxxxxxx> wrote:

Ave,

You will probably find this code pretty inefficient, although it works
flawlessly, but I ran into a problem with Internet Explorer 7, which instead
of giving the "Save as" dialog box, tried opening the file within the
Internet Explorer 7 window and displayed millions of bizarre characters on
the screen. In order to bypass that, I used a force-download method. And I
can tell you it's probably a crappy version of it. So I'm definitely
interested in and anxious on getting improvement suggestions on the code.

Here's the code (and please don't kill me):

<?php
header("Content-Description: File Transfer");
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=".basename($F));
@readfile($F);
?>


You are using this only :|
Now go to:
takekey_download.php?F=index.php
That would output the source of the index.php file.
This is really unsecure.

even displaying the real URL to the user would be more secure :)

I can't provide a real secure solution atm, but you should check for
the directory set to vox atleast, or only get files from the vox dir.

Tijnema





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rahul Sitaram Johari
CEO, Twenty Four Seventy Nine Inc.

W: http://www.rahulsjohari.com
E: sleepwalker@xxxxxxxxxxxxxxxx

³I morti non sono piu soli ... The dead are no longer lonely²



On 3/30/07 10:31 AM, "Jochem Maas" <jochem@xxxxxxxxxxxxx> wrote:

> Rahul Sitaram Johari wrote:
>> Ave,
>>
>
> ...
>
>> VALUE='takekey_download.php?F=vox/".basename($value)."'>".basename($value)."
>
> show us the code for takekey_download.php, we may be able to save you
> on a major security issue with regard to the way you use the F get parameter.
>
>> </option>";
>>     }
>>     ?>
>>     </SELECT>
>>     </FORM>
>>
>> Thanks!
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Rahul Sitaram Johari
>> CEO, Twenty Four Seventy Nine Inc.
>>
>> W: http://www.rahulsjohari.com
>> E: sleepwalker@xxxxxxxxxxxxxxxx
>>
>> ³I morti non sono piu soli ... The dead are no longer lonely²
>>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux