Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Add support for serving the files with PHP or X-sendfile #5

Open
daroczig opened this Issue Oct 18, 2012 · 3 comments

Comments

Projects
None yet
4 participants

Currently the list of files points directly to the URLs of files found on the server, which means that the any user could easily download with valid username and password with a known URL.

Any way to force encode-explorer to serve the files within PHP or passing e.g. X-sendfile header to Apache? Unfortunately I have to protect some directories now with "basic auth" besides the username/passwd for encode-explorer which is really painful for users.

Contributor

NewEraCracker commented May 29, 2015

This could be done. But would need certain security guidelines to ensure there is no security bugs in the feature.

I was thinking about implementing it myself, as an optional feature that could be enabled via a $_CONFIG var and a translation variable for a download error message.

Something like this:

function download_file($filename)
{
    // Check security guidelines like path doesn't start with a dot, path does not include double dot groups, path is a local path not an URL identifier... Bailout on failure.
    // ...

    // Disable output buffering.
    if(ob_get_level()) { ob_end_clean(); }

    // Open file via fopen. Bailout on failure
    // ...

    // Send disposition headers. application/force-download , length ...
    // ...

    // Read file in 8kb chunks (8192) and echo them to client. Loop while not reached EOF and file resource is valid.
    // ...

    // Quit to prevent further output
    exit();
}

Any thoughts ?

Contributor

havet commented Jan 31, 2016

You mean " any user could easily download withOUT valid username and password with a known URL." I suppose? I've noticed the same problem.
I would very much appreciate if this could be avoided somehow.

Owner

marekrei commented Feb 19, 2016

A much easier way to achieve this is to remove any passwords from encode-explorer and add authentication for the whole folder using .htaccess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment