Re: [PHP] Problems downloading a PDF / Partially solved
Mário Gamito wrote: I don't get the warnings anymore, but the PDF is still being displayed with its binary code inside in the PHP page: Are you opening the file as a binary file? Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Jochem Maas wrote: fine. so exactly what is the 100% bullitproof validation that will catch every attack attempt? other than basename()ing the input and suffixing it to the relevant path and then checking that to see if the file exists?? It depends how you want to handle invalid data. If you're happy basenaming it to remove anything malicious, and then trying to see if the file still exists, then so be it. To me that is masking something bad to try and make it good, the end result being that you can't tell if someone is trying to screw with your script, or if you've simply got a typo in a link on your site somewhere. do you really care if the original url is: foo.php?file=bla.pdf and somebody does this (ending up with the file the original url pointed): foo.php?file=../../../bla.pdf Absolutely I care. One is an obvious attempt to circumvent my script, the other could be an error *I* made somewhere. Of course a better solution would be to never pass the filename on the query string anyway. Use a local look-up instead based on a key (a hard coded array, pulled from SQL, etc, whatever you want). But that is beyond the scope of what the guy was asking I guess. I honestly believe that having URLs such as getfile.php?file=something.pdf is like waving your wallet infront of a pickpocket, i.e. asking for trouble. Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF / Partially solved
Mário Gamito wrote: > Ok, > > I don't get the warnings anymore, but the PDF is still being displayed > with its binary code inside in the PHP page: > > "%PDF-1.4 %âãÏÓ 351 0 obj <> endobj xref 351 434 16 0 n > 010281 0 n 010417 0 n 010574 0 n 010607 > 0 n 012850 0 n 012884 0 n 013037 0 n > 013174 0 n 013704 0 n 014104 0 n 014488 > 0 n 014700 0 n 014747" > > Something must be wrong with the definition of the file type. if you know that there *must* be something wrong with the definition of the file type why not go and search around for answers related to generating download headers? the list is here to help, not spoonfeed. > Warm Regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Mário Gamito wrote: > Hi, > >> by reading the freaking replies that you get?!? :-), I did give you >> the answer to this in the rewritten code I offered. (granted > You the code you gave me i get I didn't write 120+ liones of code - so what your running is definitely not what I gave you. .. > > "Warning: Cannot modify header information - headers already sent by > (output started at /var/www/telbit_website/2/products-testudio.php:14) > in /var/www/telbit_website/2/products-testudio.php on line 120 > > Warning: Cannot modify header information - headers already sent by > (output started at /var/www/telbit_website/2/products-testudio.php:14) > in /var/www/telbit_website/2/products-testudio.php on line 121 > > Warning: Cannot modify header information - headers already sent by > (output started at /var/www/telbit_website/2/products-testudio.php:14) > in /var/www/telbit_website/2/products-testudio.php on line 122 > %PDF-1.4 %âãÏÓ 351 0 obj <> endobj xref 351 434 16 0 n > 010281" > > Any ideas ? > > Warm Regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF / Partially solved
Ok, I don't get the warnings anymore, but the PDF is still being displayed with its binary code inside in the PHP page: "%PDF-1.4 %âãÏÓ 351 0 obj <> endobj xref 351 434 16 0 n 010281 0 n 010417 0 n 010574 0 n 010607 0 n 012850 0 n 012884 0 n 013037 0 n 013174 0 n 013704 0 n 014104 0 n 014488 0 n 014700 0 n 014747" Something must be wrong with the definition of the file type. Warm Regards -- :wq! Mário Gamito -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Hi, by reading the freaking replies that you get?!? :-), I did give you the answer to this in the rewritten code I offered. (granted You the code you gave me i get "Warning: Cannot modify header information - headers already sent by (output started at /var/www/telbit_website/2/products-testudio.php:14) in /var/www/telbit_website/2/products-testudio.php on line 120 Warning: Cannot modify header information - headers already sent by (output started at /var/www/telbit_website/2/products-testudio.php:14) in /var/www/telbit_website/2/products-testudio.php on line 121 Warning: Cannot modify header information - headers already sent by (output started at /var/www/telbit_website/2/products-testudio.php:14) in /var/www/telbit_website/2/products-testudio.php on line 122 %PDF-1.4 %âãÏÓ 351 0 obj <> endobj xref 351 434 16 0 n 010281" Any ideas ? Warm Regards -- :wq! Mário Gamito -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
2007. 04. 4, szerda keltezéssel 14.23-kor Mário Gamito ezt írta: > Hi, > > > that's what I said before. you echo out some html before the file > > headers. that will never work. > > remove the echo statement on line 14 and you should be okay > But i need the line > > echo " " rel=\"external\">Download TESTUDIO flyer"; > > to display the link for download!!! you don't need that link in a downloaded file I'm sure. so your script has 2 modes: 1. display the download link 2. send the downloaded file so you should decide which mode is requested (for example by checking for $_GET['file'] - if it is set, a file is requested, otherwise not) and do the appropriate action for the request greets Zoltán Németh > > How can i sove this puzzle ? > > Full code follows my signature. > > Thanks for all your help guys. > > Warm Regards, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Mário Gamito wrote: > Hi, > >> that's what I said before. you echo out some html before the file >> headers. that will never work. >> remove the echo statement on line 14 and you should be okay > But i need the line > > echo "" rel=\"external\">Download TESTUDIO flyer"; > > to display the link for download!!! > > How can i sove this puzzle ? by reading the freaking replies that you get?!? :-), I did give you the answer to this in the rewritten code I offered. (granted there is a typo in that code, but I figure your capable enough to find the superfluous parentheses and remove it) I see you did take on some of what I proposed - but notice that in your latest bit of code the echo statement that outputs the link when there is an 'error' is *inside* the 'if (isset($_GET['FILE']))' block (which is not the case i the example I sent) > > Full code follows my signature. > > Thanks for all your help guys. > > Warm Regards, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Richard Davey wrote: > Jochem Maas wrote: > >>> You don't need to basename() it, you already know what the filename is, >>> because it was requested via $_GET['file']. >> >> I would say almost the opposite: > > Let me rephrase: if you are properly validating the $_GET['file'] input > anyway, basenaming it is a superfluous step that may hide possible > attack attempts. Personally, I'd rather know if someone was messing > around with a parameter. fine. so exactly what is the 100% bullitproof validation that will catch every attack attempt? other than basename()ing the input and suffixing it to the relevant path and then checking that to see if the file exists?? (I'm assuming here that the directory in question contains only files that are available for download) given that the app will only generate urls for files that exist on the relevant path any file that is not found constitutes an attack of some sort. do you really care if the original url is: foo.php?file=bla.pdf and somebody does this (ending up with the file the original url pointed): foo.php?file=../../../bla.pdf ? > > Cheers, > > Rich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Hi,
that's what I said before. you echo out some html before the file
headers. that will never work.
remove the echo statement on line 14 and you should be okay
But i need the line
echo " " rel=\"external\">Download TESTUDIO flyer";
to display the link for download!!!
How can i sove this puzzle ?
Full code follows my signature.
Thanks for all your help guys.
Warm Regards,
--
:wq! Mário Gamito
--
Download TESTUDIO flyer";
exit;
}
header('Content-type: application/pdf');
header("Content-Length: " . filesize($full));
header('Content-disposition: attachment;
filename="testudio.pdf"');
readfile($full);
exit;
} else {
echo "Please, login to download the PDF";
}
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
2007. 04. 4, szerda keltezéssel 14.04-kor Mário Gamito ezt írta:
> Hi,
>
> Ok, i've hardcoded the filename and i no longer get a 404 error.
> But the "PDF" file i get is this:
>
> "Warning: Cannot modify header information - headers already sent by
> (output started at /var/www/telbit_website/2/products-testudio.php:14)
> in /var/www/telbit_website/2/products-testudio.php on line 120
that's what I said before. you echo out some html before the file
headers. that will never work.
remove the echo statement on line 14 and you should be okay
greets
Zoltán Németh
>
> Warning: Cannot modify header information - headers already sent by
> (output started at /var/www/telbit_website/2/products-testudio.php:14)
> in /var/www/telbit_website/2/products-testudio.php on line 121
>
> Warning: Cannot modify header information - headers already sent by
> (output started at /var/www/telbit_website/2/products-testudio.php:14)
> in /var/www/telbit_website/2/products-testudio.php on line 122
> %PDF-1.4 %âãÏÓ 351 0 obj <> endobj xref 351 434 16 0 n
> 010281 0 n 010417 0 n 010574 0 n 010607
> 0 n 012850 0 n 012884 0 n 013037 0 n
> 013174 0 n 013704 0 n 014104 0 n 014488
> 0 n 014700 0 n 014747 0 n 014794 0 n
> 014842 0 n 014889 0 n 014937 0 n 014984
> 0 n 015033 0 n 015082 0 n 015130 0 n
> 015179 0 n 015228 0 n 015277 0 n 015326"
> (etc...)
>
> > You are echoing stuff before sending the file that is not possible. So
> > remove the echo and it should work. If not, try this for debugging:
> >
> > if(!is_readable($full)) echo "the file $full is not readable by apache";
> > else {
> > //same as before
> > }
> I'm not sure if i understand you :(
>
> Warm Regards
> --
> :wq! Mário Gamito
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Hi,
Ok, i've hardcoded the filename and i no longer get a 404 error.
But the "PDF" file i get is this:
"Warning: Cannot modify header information - headers already sent by
(output started at /var/www/telbit_website/2/products-testudio.php:14)
in /var/www/telbit_website/2/products-testudio.php on line 120
Warning: Cannot modify header information - headers already sent by
(output started at /var/www/telbit_website/2/products-testudio.php:14)
in /var/www/telbit_website/2/products-testudio.php on line 121
Warning: Cannot modify header information - headers already sent by
(output started at /var/www/telbit_website/2/products-testudio.php:14)
in /var/www/telbit_website/2/products-testudio.php on line 122
%PDF-1.4 %âãÏÓ 351 0 obj <> endobj xref 351 434 16 0 n
010281 0 n 010417 0 n 010574 0 n 010607
0 n 012850 0 n 012884 0 n 013037 0 n
013174 0 n 013704 0 n 014104 0 n 014488
0 n 014700 0 n 014747 0 n 014794 0 n
014842 0 n 014889 0 n 014937 0 n 014984
0 n 015033 0 n 015082 0 n 015130 0 n
015179 0 n 015228 0 n 015277 0 n 015326"
(etc...)
You are echoing stuff before sending the file that is not possible. So
remove the echo and it should work. If not, try this for debugging:
if(!is_readable($full)) echo "the file $full is not readable by apache";
else {
//same as before
}
I'm not sure if i understand you :(
Warm Regards
--
:wq! Mário Gamito
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Hi, Thank you all for your answers. I would say almost the opposite: I get a Page Not found. The problem is that $file variable is empty (tested with a print). Any ideas ? Warm Regards -- :wq! Mário Gamito -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Jochem Maas wrote: You don't need to basename() it, you already know what the filename is, because it was requested via $_GET['file']. I would say almost the opposite: Let me rephrase: if you are properly validating the $_GET['file'] input anyway, basenaming it is a superfluous step that may hide possible attack attempts. Personally, I'd rather know if someone was messing around with a parameter. Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Richard Davey wrote:
> Mário Gamito wrote:
>
>> To prevent people to insert the full URL to the documents, i moved
>> them outside Apache's DocumentRooot, which is /var/www.
>>
>> My site is in /var/www/telbit and i put the PDFs in /var/www
>>
>> I've coded in order to do the trick, but it's failing.
>> I can't get the name of the file.
>
> You don't need to basename() it, you already know what the filename is,
> because it was requested via $_GET['file'].
I would say almost the opposite:
Download TESTUDIO flyer";
exit;
}
header('Content-type: application/pdf');
header("Content-Length: " . filesize($full));
header('Content-disposition: attachment; filename="'. $file .'"');
readfile($full);
exit;
} else {
echo "Unauthorized Access!";
}
>
> I would insert a file_exist check before you try and send it. It might
> give you the cause of your problem.
always a good thing
>
> Cheers,
>
> Rich
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
Mário Gamito wrote: To prevent people to insert the full URL to the documents, i moved them outside Apache's DocumentRooot, which is /var/www. My site is in /var/www/telbit and i put the PDFs in /var/www I've coded in order to do the trick, but it's failing. I can't get the name of the file. You don't need to basename() it, you already know what the filename is, because it was requested via $_GET['file']. I would insert a file_exist check before you try and send it. It might give you the cause of your problem. Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems downloading a PDF
2007. 04. 4, szerda keltezéssel 12.46-kor Mário Gamito ezt írta:
> Hi,
>
> I'm building this site that has several PDFs to download, but only to
> registered users.
>
> To prevent people to insert the full URL to the documents, i moved them
> outside Apache's DocumentRooot, which is /var/www.
>
> My site is in /var/www/telbit and i put the PDFs in /var/www
>
> I've coded in order to do the trick, but it's failing.
> I can't get the name of the file.
> Notice that the page which has the code is products-teststudio.php itself.
>
> The code follows my signature.
>
> Any help would be appreciated.
>
> Warm Regards
> --
> :wq! Mário Gamito
> --
>
>if (isset($_SESSION['email'])) {
>echo" rel=\"external\">Download TESTUDIO flyer";
you cannot do this. you are sending output here, html output, so the
webserver sends the html headers for it. and later you try to send a pdf
and corresponding headers in the same script. that will never work.
greets
Zoltán Németh
>
>$file = $_GET['file'];
>
>// try to sanitize the filename
>if (preg_match('/[^A-Za-z0-9._]/', $file))
> die("Invalid filename.");
>
>$path = '/var/www/';
>$full = $path . $file;
>
>header('Content-type: application/pdf');
>header("Content-Length: " . filesize($full));
>header('Content-disposition: attachment; filename="'. basename($file)
> .'"');
>readfile($full);
> }
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Problems downloading a PDF
> -Original Message-
> From: Mário Gamito [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, April 04, 2007 1:46 PM
> To: php-general@lists.php.net
> Subject: [PHP] Problems downloading a PDF
>
> Hi,
>
> I'm building this site that has several PDFs to download, but only to
> registered users.
>
> To prevent people to insert the full URL to the documents, i moved them
> outside Apache's DocumentRooot, which is /var/www.
>
> My site is in /var/www/telbit and i put the PDFs in /var/www
>
> I've coded in order to do the trick, but it's failing.
> I can't get the name of the file.
> Notice that the page which has the code is products-teststudio.php itself.
>
> The code follows my signature.
>
> Any help would be appreciated.
>
> Warm Regards
> --
> :wq! Mário Gamito
> --
>
>if (isset($_SESSION['email'])) {
>echo" rel=\"external\">Download TESTUDIO flyer";
>
>$file = $_GET['file'];
>
>// try to sanitize the filename
>if (preg_match('/[^A-Za-z0-9._]/', $file))
> die("Invalid filename.");
>
>$path = '/var/www/';
>$full = $path . $file;
>
>header('Content-type: application/pdf');
>header("Content-Length: " . filesize($full));
>header('Content-disposition: attachment; filename="'. basename($file)
> .'"');
>readfile($full);
> }
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
[Peter Lauri - DWS Asia]
You are echoing stuff before sending the file that is not possible. So
remove the echo and it should work. If not, try this for debugging:
if(!is_readable($full)) echo "the file $full is not readable by apache";
else {
//same as before
}
Best regards,
Peter Lauri
www.dwsasia.com - company web site
www.lauri.se - personal web site
www.carbonfree.org.uk - become Carbon Free
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problems downloading a PDF
Hi,
I'm building this site that has several PDFs to download, but only to
registered users.
To prevent people to insert the full URL to the documents, i moved them
outside Apache's DocumentRooot, which is /var/www.
My site is in /var/www/telbit and i put the PDFs in /var/www
I've coded in order to do the trick, but it's failing.
I can't get the name of the file.
Notice that the page which has the code is products-teststudio.php itself.
The code follows my signature.
Any help would be appreciated.
Warm Regards
--
:wq! Mário Gamito
--
echo"rel=\"external\">Download TESTUDIO flyer";
$file = $_GET['file'];
// try to sanitize the filename
if (preg_match('/[^A-Za-z0-9._]/', $file))
die("Invalid filename.");
$path = '/var/www/';
$full = $path . $file;
header('Content-type: application/pdf');
header("Content-Length: " . filesize($full));
header('Content-disposition: attachment; filename="'. basename($file)
.'"');
readfile($full);
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
