-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for serving the files with PHP or X-sendfile #5
Comments
This could be done. But would need certain security guidelines to ensure there is no security bugs in the feature. I was thinking about implementing it myself, as an optional feature that could be enabled via a $_CONFIG var and a translation variable for a download error message. Something like this: function download_file($filename)
{
// Check security guidelines like path doesn't start with a dot, path does not include double dot groups, path is a local path not an URL identifier... Bailout on failure.
// ...
// Disable output buffering.
if(ob_get_level()) { ob_end_clean(); }
// Open file via fopen. Bailout on failure
// ...
// Send disposition headers. application/force-download , length ...
// ...
// Read file in 8kb chunks (8192) and echo them to client. Loop while not reached EOF and file resource is valid.
// ...
// Quit to prevent further output
exit();
} Any thoughts ? |
You mean " any user could easily download withOUT valid username and password with a known URL." I suppose? I've noticed the same problem. |
A much easier way to achieve this is to remove any passwords from encode-explorer and add authentication for the whole folder using .htaccess. |
Currently the list of files points directly to the URLs of files found on the server, which means that the any user could easily download with valid username and password with a known URL.
Any way to force
encode-explorer
to serve the files within PHP or passing e.g.X-sendfile
header to Apache? Unfortunately I have to protect some directories now with "basic auth" besides the username/passwd forencode-explorer
which is really painful for users.The text was updated successfully, but these errors were encountered: