google-code-export / cpassman

Automatically exported from code.google.com/p/cpassman
0 stars 0 forks source link

downloadFile.php headers incorrect #281

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
This php file is generating headers like that look like this...
---------------------------------------------------------------------
Content-disposition: attachment; filename=db-backup-1349126932.sql
Content-Type: application/force-download
Content-Transfer-Encoding: sql

Pragma: no-cache
Cache-Control: must-revalidate, post-check=0, pre-check=0, public
Expires: 0
---------------------------------------------------------------------
There are a few issues with these headers...
First, there is no content type encoding "sql", valid values are base64, 
binary, ascii, etc.
Second, this header is really only used for email transport, not http, which is 
an 8 bit clear channel.
Third, an extra newline character is being added.
Fourth, using "Content-Type: application/force-download" is not recommended, 
the recommended method is to use "Content-disposition: attachment" instead, 
which is already present.
Fifth, "Pragma: public" should be used, NOT "Pragma: no-cache", the later 
causes issues with saving the file from https.

Here are some articles for reference...

http://stackoverflow.com/questions/10615797/utility-of-http-header-content-type-
application-force-download-for-mobile

http://www.richnetapps.com/the-right-way-to-handle-file-downloads-in-php/

Here is my suggested updated file...

<?php
/**
 * @file                downloadFile.php
 * @author              Nils Laumaillé
 * @version     2.1.8
 * @copyright   (c) 2009-2011 Nils Laumaillé
 * @licensing   GNU AFFERO GPL 3.0
 * @link                http://www.teampass.net
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

session_start();
if (!isset($_SESSION['CPM'] ) || $_SESSION['CPM'] != 1 || $_GET['key'] != 
$_SESSION['key'] || $_GET['key_tmp'] != $_SESSION['key_tmp'])
        die('Hacking attempt...');

header("Content-disposition: attachment; 
filename=".rawurldecode($_GET['name']));
header("Content-Type: application/octet-stream");
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0, public");
header("Expires: 0");
readfile('../'.$_GET['sub'].'/'.basename($_GET['file']));
?> 

Original issue reported on code.google.com by star2...@gmail.com on 2 Oct 2012 at 2:54