Download script security question

[eluser]BobbyB[/eluser]
Hello,
I am using follwing code to handle downloads(forced) on my website:

Advanced File Downloading Library
http://ellislab.com/forums/viewthread/71247/

Code:

function download()
    {
$file = $this->input->get_post('file', TRUE);    
$name = $this->input->get_post('name', TRUE);
    
$this->load->library('filedownload');// Load the download library
$config = array(
'file' => $file,// local file to store, relative folder from the root index.php file location of CI
'resume' => true,// Allow download resume support
'filename' => $name,// New filename after downloaded to the clients computer
'speed' => 0, // file download speed limit, in kbytes
);
$this->filedownload->send_download($config);    
}

Using this however enables anybody to download any file on my server.
http://domain.com/pages/download/?file=s...nyfile.php

Is there any way to prevent this?
What would you do?

Thanks in advance!

[eluser]renownedmedia[/eluser]
Don't execute the code unless the user is authenticated.

Code:

if ($this->session->userdata('candownload') == 'anyfile.php') {
  dostuff();
} else {
  die("Not Authorized.");
}

[eluser]BobbyB[/eluser]
Hi Thomas,
thanks for your reply.
That's what first came to my mind too.
Unfortunately users that are not "logged in" are also supposed to be able to directly download stuff(like pdfs,jpegs).
Also the issue of people being able to download all kinds of "application files" would still be there.
The only way I can think of right now is to hard-code the filenames and only allow those to be downloaded.
There aren't that many.
Is there a secure way to only allow certain file extensions to be downloaded?

Thanks in advance!

[eluser]wabu[/eluser]
BobbyB, how about simply parsing the requested file name and matching against your own list of acceptable types?

[eluser]BobbyB[/eluser]
Hi wabu,
yeah sounds good to me.
I will definitely try that out.

Thanks