El archivo descargado en PHP con Firefox tiene un tamaño incorrecto

I have a problem with invalid signing certificates on files downloaded using Firefox. IE, Opera, Safari and Chrome are all fine. If the file is downloaded directly by clicking a link in FF it's also ok but if the file is downloaded using PHP for security it is 1 byte larger, having a x0A tacked on the end and I think this is causing it to fail the validation check. The PHP is very simple:

$file = "../downloads/".$_GET['link'];
$size = filesize($file);
$type = filetype($file);
header('Content-Type: application/octet-stream'); 
header("Content-Transfer-Encoding: Binary");  
header( "Content-Disposition: attachment; filename=".basename($file));
header("Content-Length: ".$size); 
header("Content-Type: ".$type);

Does anyone have any idea why Firefox alone should be having problems with getting the size right here? Grateful for any ideas.

preguntado el 10 de marzo de 12 a las 08:03

¿Qué pasa si uso ?link=../../../includes/db_connection_info.php? -

I know it's not part of your question, but you should truly sanatize $_GET['link'], otherwise this script will allow anyone to download any file on your filesystem that the webserver may access. (Also php configuration files, etc.) -

3 Respuestas

  1. Check if file exists and is placed in allowed location - now attacker is able to download nearly every file on your webserver
  2. Don't use closing phptag - ?>, every whitespace after it will be send to the browser
  3. Utilizan exit; just after readfile to make sure no other function that produces output is called.

respondido 10 mar '12, 08:03

Brilliant! It did have some lines after the ?>, so did as you suggested and it's working. Thanks very much. - user1164035

check on the Content-Type header, you set it twice so the latter one will be used, it could be something like "Content-Type: file" due to function filetype(), the browser can't understand "file" content type and take it as a text file. I guess that's the cause of the extra 0x0a.
Comment "header("Content-Type: ".$type);" and it will work fine.

respondido 10 mar '12, 08:03

replace below line

header("Content-Length: ".strlen($file));

buena suerte :)

respondido 10 mar '12, 08:03

$file contiene el camino to the file, not the file contents itself. - otro Código

Ta for all other comments, websites are not really my field of expertise, I'm strictly a cut n paste merchant, so will look at all suggestions. Re Alex;s comments on security, should not the file permissions prevent - user1164035

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.