Is a user submitted header filename in PHP a security vulnerability?

Question

I want to dynamically generate a downloadable text file with PHP containing only an md5 hash string.

Usage: index.php?filename=myhash.txt&hash=8145c8f6d42fda2c3cfdd1d091bcb331

$filename = isset($_GET["filename"]) ? $_GET["filename"] : "md5.txt";
$hash = (isset($_GET["hash"]) && preg_match('/^[a-f0-9]{32}$/', $_GET["hash"])) ? $_GET["hash"] : "";

header("Content-type: text/plain");
header("Content-Disposition: attachment; filename=$filename");
echo $hash;

My concern is the $filename used in the header which anyone can modify. Is this a security vulnerability?

Answer 1

I'm reasonably certain that this doesn't have any security issues, but insert a general disclaimer about how hard it is to prove a negative.

You don't use the filename to access your server's filesystem, so you aren't vulnerable to file inclusion attacks.

---

You restrict what the content of the file can be, so your users should be safe from being tricked into downloading scripts, but let's take a hypothetical anyway:

Given a programming language in which a program can be written using only the characters which match [a-f0-9] (which means no spaces), and a program can be written in 32 of those characters, then an attacker could craft a URL which appears to be on your site (and therefore trustworthy) which causes a file called something.xyz to be downloaded. (For a value of xyz which is registered as the file extension for scripts written in that language.) This would cause the attacker's program to be downloaded to somewhere that the user might double click on it and execute it.

That's a pretty unlikely case to start with, and modern OSes are quite good at flagging downloaded files as requiring a "Are you sure you want to execute this?" alert, so it is a serious edge case.

To be paranoid, you might want to restrict the filename to ones with .txt or .md5 extensions.

---

Special characters could be an issue, but I can't think of any that would be a security risk. If, for example, a new line was entered into the file name, then modern versions of PHP would likely throw something along the lines of:

Warning: Header may not contain more than a single header, new line detected in /Users/david/tmp/hfjkljiwe/index.php on line 4

… and prevent the script from outputting the content-disposition header at all.

Do not run old versions of PHP, get your security fixed versions installed!

---

From the other side, browsers aren't likely to accept a filename that the filesystem they are writing to is going to throw a wobbly over.

---

That said, paranoia never did anyone any harm when it came to writing secure software (especially when it has to interact with other software — software has bugs!), so adding some restrictions on what characters are allowed in the filename wouldn't be a bad idea.

Answer 2

As far as I can tell, you are theoretically okay to do this; since you never actually access any files on your server, no one can do anything negative to your server. However, one could potentially provide an invalid file name for their OS, and I'm not entirely sure what would happen. Given that it's going to pop open the download dialog either way, it just seems safer to let them enter the file name at that time rather than allow them to enter it beforehand.