FastDownloads server logic
If you've read the Setup process page, then you know that Re-Banner needs a special file on your FastDownloads web server in order to function.
Serve.php is a simple downloader script with additional logic regarding fingerprint files.
It should be capable of detecting malicious request paths and handling them with a 404 Not Found response.
it accepts two incoming GET parameters, id and url.
id - client figerprint value, a number.
url - a file path, starting with a forward slash.
Serve.php has a number of security checks in place before it proceeds to respond with a file. If any of the checks fails, serve.php responds with an HTTP code of 404 (Not Found).
-
First, it checks whether the GET request contains both url and id params.
-
Then, it check whether the requested file path contains any malicious path traversal/prohibited characters or something that may be used with malicious intents.
-
After that, serve.php checks the first folder of the requested path. If it doesn't match the following list:
- materials
- models
- sound
- cfg
- maps
- scripts
then the check fails.
-
Lastly, serve.php makes sure that the id GET parameter only contains digits.
If all of the above checks pass, then serve.php checks whether the url matches the fingerprint path that you hardcoded into the file during Setup. If so, it dynamically generates the fingerprint file, puts the value of the id GET parameter inside it and sends the file to the client.
If it's not the fingerprint file that is requested, serve.php checks whether the requested file actually exists on the server. If it doesn't, 404 Not Found is sent to the client.
If the file exists, then serve.php sends the file to the client.
Serve.php hardcodes folders that clients are allowed to request files from (check 3 above). If your server has files that are not inside any of these folders and that the client needs to download, then please modify the serve.php script to match your needs.