From e1a575e4f87d94b271a85b5311bc98055917698b Mon Sep 17 00:00:00 2001 From: Marco Dickert Date: Thu, 1 Dec 2016 17:18:46 +0100 Subject: [PATCH] misterunknown: new file_download function which should safely download a file --- ifm.php | 27 +++++++++++++++++++++------ src/main.php | 27 +++++++++++++++++++++------ 2 files changed, 42 insertions(+), 12 deletions(-) diff --git a/ifm.php b/ifm.php index d52836f..0ff27c1 100644 --- a/ifm.php +++ b/ifm.php @@ -1521,9 +1521,7 @@ $(document).ready(function() {ifm.init()}); // init ifm echo json_encode( array( "status" => "ERROR", "message" => "Not allowed to download hidden files" ) ); else { $this->chDirIfNecessary( $d["dir"] ); - header( "Content-Type: application/octet-stream" ); - header( "Content-Disposition: attachment; filename=\"" . $d["filename"] . "\"" ); - @readfile( $d["filename"] ); + $this->file_download( $d['filename'] ); } } @@ -1661,8 +1659,7 @@ $(document).ready(function() {ifm.init()}); // init ifm else $d['filename'] = basename( getcwd() ); } - header( "Content-Disposition: attachment; filename=\"".$d['filename'].".zip\"" ); - readfile( $dfile ); + $this->file_download( $dfile, $d['filename'] . ".zip" ); } catch ( Exception $e ) { echo "An error occured: " . $e->getMessage(); } finally { @@ -1822,7 +1819,7 @@ $(document).ready(function() {ifm.init()}); // init ifm private function isPathValid($p) { if( $p == "" ) { return true; - } elseif( $this->getScriptRoot() == substr( realpath( $p ), 0, strlen( $this->getScriptRoot() ) ) ) { + } elseif( str_replace( "\\", "/", $this->getScriptRoot() ) == str_replace( "\\", "/", substr( realpath( dirname( $p ) ), 0, strlen( $this->getScriptRoot() ) ) ) ) { return true; } return false; @@ -1947,6 +1944,24 @@ $(document).ready(function() {ifm.init()}); // init ifm else return true; } + private function file_download( $file, $name="" ) { + header( 'Content-Description: File Transfer' ); + header( 'Content-Type: application/octet-stream' ); + header( 'Content-Disposition: attachment; filename="' . ( trim( $name ) == "" ? basename( $file ) : $name ) . '"' ); + header( 'Expires: 0' ); + header( 'Cache-Control: must-revalidate' ); + header( 'Pragma: public' ); + header( 'Content-Length: ' . filesize( $file ) ); + + $file_stream = fopen( $file, 'rb' ); + $stdout_stream = fopen('php://output', 'wb'); + + stream_copy_to_stream($file_stream, $stdout_stream); + + fclose($file_stream); + fclose($stdout_stream); + } + ///helper } diff --git a/src/main.php b/src/main.php index 9f34233..976e42b 100644 --- a/src/main.php +++ b/src/main.php @@ -388,9 +388,7 @@ class IFM { echo json_encode( array( "status" => "ERROR", "message" => "Not allowed to download hidden files" ) ); else { $this->chDirIfNecessary( $d["dir"] ); - header( "Content-Type: application/octet-stream" ); - header( "Content-Disposition: attachment; filename=\"" . $d["filename"] . "\"" ); - @readfile( $d["filename"] ); + $this->file_download( $d['filename'] ); } } @@ -528,8 +526,7 @@ class IFM { else $d['filename'] = basename( getcwd() ); } - header( "Content-Disposition: attachment; filename=\"".$d['filename'].".zip\"" ); - readfile( $dfile ); + $this->file_download( $dfile, $d['filename'] . ".zip" ); } catch ( Exception $e ) { echo "An error occured: " . $e->getMessage(); } finally { @@ -689,7 +686,7 @@ class IFM { private function isPathValid($p) { if( $p == "" ) { return true; - } elseif( $this->getScriptRoot() == substr( realpath( $p ), 0, strlen( $this->getScriptRoot() ) ) ) { + } elseif( str_replace( "\\", "/", $this->getScriptRoot() ) == str_replace( "\\", "/", substr( realpath( dirname( $p ) ), 0, strlen( $this->getScriptRoot() ) ) ) ) { return true; } return false; @@ -814,6 +811,24 @@ class IFM { else return true; } + private function file_download( $file, $name="" ) { + header( 'Content-Description: File Transfer' ); + header( 'Content-Type: application/octet-stream' ); + header( 'Content-Disposition: attachment; filename="' . ( trim( $name ) == "" ? basename( $file ) : $name ) . '"' ); + header( 'Expires: 0' ); + header( 'Cache-Control: must-revalidate' ); + header( 'Pragma: public' ); + header( 'Content-Length: ' . filesize( $file ) ); + + $file_stream = fopen( $file, 'rb' ); + $stdout_stream = fopen('php://output', 'wb'); + + stream_copy_to_stream($file_stream, $stdout_stream); + + fclose($file_stream); + fclose($stdout_stream); + } + ///helper }