Download script security question |
[eluser]BobbyB[/eluser]
Hello, I am using follwing code to handle downloads(forced) on my website: Advanced File Downloading Library http://ellislab.com/forums/viewthread/71247/ Code: function download() Using this however enables anybody to download any file on my server. http://domain.com/pages/download/?file=s...nyfile.php Is there any way to prevent this? What would you do? Thanks in advance!
[eluser]renownedmedia[/eluser]
Don't execute the code unless the user is authenticated. Code: if ($this->session->userdata('candownload') == 'anyfile.php') {
[eluser]BobbyB[/eluser]
Hi Thomas, thanks for your reply. That's what first came to my mind too. Unfortunately users that are not "logged in" are also supposed to be able to directly download stuff(like pdfs,jpegs). Also the issue of people being able to download all kinds of "application files" would still be there. The only way I can think of right now is to hard-code the filenames and only allow those to be downloaded. There aren't that many. Is there a secure way to only allow certain file extensions to be downloaded? Thanks in advance!
[eluser]wabu[/eluser]
BobbyB, how about simply parsing the requested file name and matching against your own list of acceptable types?
[eluser]BobbyB[/eluser]
Hi wabu, yeah sounds good to me. I will definitely try that out. Thanks |
Welcome Guest, Not a member yet? Register Sign In |