How to prevent users from downloading source code files using the PHP download option I have for downloading pdf files in my web application?

Question

Download.php

<?php 
$file = $_GET['file'];
if(file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>

Following is the JavaScript code I'm using to pass the url to php script: Download.js

init:function(){
    this.control({
        '#downloadSite': {
            load:function(tree, node, records, successful, eOpts)
            {

            },

            itemclick:  function(tree, record, item, index)
            {
                if(record.get('id') == 300){
                    window.open('Download.php?file=../TAB/'+record.get('url'));
                }
                else{
                    window.open('Download.php?file=../PDF/'+record.get('url'));
                }                   
            },
            beforeitemclick:  function(tree, record, item, index)
            {
                if(record.get('leaf') == false) return false;
            },
            beforeitemdblclick: function(){
                return false;
            }
        }
    });
}

If I am entering "Download.php?file=../web.config" in the url , web.config file is being downloaded. I want to prevent direct download of source code. the download option is for downloading pdf files that I have stored in the pdf's folder in the main directory.

Please help !!

alexJoe, if you run the PHP file manually, create the URL manually and run it, no JavaScript, does it do the same? — johnny, Aug 28 '18 at 14:15
does this help? I don't want to vote this has already been solved (a.k.a closed), if it doesn't help you. https://stackoverflow.com/questions/8485886/force-file-download-with-php-using-header — johnny, Aug 28 '18 at 14:18
No, is there a way I can prevent downloading of source code files if someone just alters the url like this "Download.php?file=../web.config". — alexJoe, Aug 28 '18 at 14:23

score 1 · Accepted Answer · answered Aug 28 '18 at 14:23

You've fallen fowl of a pretty bad design decision here that makes you vulnerable to file system traversal.

You might consider:

Ensure the requested file ends in .pdf
Ensure that the file being read ends in .pdf
Drop any requests where the file parameter contains ..

Given Download.php doens't look to be ensuring requesters are authenticated at all, I would suggest maybe having your PDF documents live within a web accessible directory and just linking directly to them, instead of creating an attack vector that could compromise your server.

Thanks Michael,it wokred ! I have added validations if the file being requested is pdf,csv. — alexJoe, Aug 28 '18 at 14:58

score 0 · Answer 2 · answered Aug 28 '18 at 14:28

Use this in web.config,

<authorization>
    <allow users="user1, user2"/>
    <deny users=”?”/>
</authorization>

https://support.microsoft.com/en-us/help/815151/how-to-restrict-specific-users-from-gaining-access-to-specified-web-re

Don't allow the code to circumvent this, as Michael M is saying.

How to prevent users from downloading source code files using the PHP download option I have for downloading pdf files in my web application?

2 Answers2