I have a problem with invalid signing certificates on files downloaded using Firefox. IE, Opera, Safari and Chrome are all fine. If the file is downloaded directly by clicking a link in FF it's also ok but if the file is downloaded using PHP for security it is 1 byte larger, having a x0A tacked on the end and I think this is causing it to fail the validation check. The PHP is very simple:
<?php $file = "../downloads/".$_GET['link']; $size = filesize($file); $type = filetype($file); header('Content-Type: application/octet-stream'); header("Content-Transfer-Encoding: Binary"); header( "Content-Disposition: attachment; filename=".basename($file)); header("Content-Length: ".$size); header("Content-Type: ".$type); readfile($file); ?>
Does anyone have any idea why Firefox alone should be having problems with getting the size right here? Grateful for any ideas.
preguntado el 10 de marzo de 12 a las 08:03
- Check if file exists and is placed in allowed location - now attacker is able to download nearly every file on your webserver
- Don't use closing phptag -
?>, every whitespace after it will be send to the browser
exit;just after readfile to make sure no other function that produces output is called.
check on the Content-Type header, you set it twice so the latter one will be used, it could be something like "Content-Type: file" due to function filetype(), the browser can't understand "file" content type and take it as a text file. I guess that's the cause of the extra 0x0a.
Comment "header("Content-Type: ".$type);" and it will work fine.
replace below line
<?php header("Content-Length: ".strlen($file)); ?>
buena suerte :)