File downloaded in PHP using Firefox is wrong size

Question

I have a problem with invalid signing certificates on files downloaded using Firefox. IE, Opera, Safari and Chrome are all fine. If the file is downloaded directly by clicking a link in FF it's also ok but if the file is downloaded using PHP for security it is 1 byte larger, having a x0A tacked on the end and I think this is causing it to fail the validation check. The PHP is very simple:

<?php
$file = "../downloads/".$_GET['link'];
$size = filesize($file);
$type = filetype($file);
header('Content-Type: application/octet-stream'); 
header("Content-Transfer-Encoding: Binary");  
header( "Content-Disposition: attachment; filename=".basename($file));
header("Content-Length: ".$size); 
header("Content-Type: ".$type);
readfile($file);
?>

Does anyone have any idea why Firefox alone should be having problems with getting the size right here? Grateful for any ideas.

Please read this : http://stackoverflow.com/questions/2882472/php-send-file-to-user — rkosegi, Mar 10 '12 at 08:31
What if I use `?link=../../../includes/db_connection_info.php`? — alex, Mar 10 '12 at 08:31
I know it's not part of your question, but you should truly sanatize $_GET['link'], otherwise this script will allow anyone to download any file on your filesystem that the webserver may access. (Also php configuration files, etc.) — Arend, Mar 10 '12 at 08:47

score 4 · Answer 1 · answered Mar 10 '12 at 08:39

4

Check if file exists and is placed in allowed location - now attacker is able to download nearly every file on your webserver
Don't use closing phptag - ?>, every whitespace after it will be send to the browser
Use exit; just after readfile to make sure no other function that produces output is called.

answered Mar 10 '12 at 08:39

dev-null-dweller

29,274
3
65
85

Brilliant! It did have some lines after the ?>, so did as you suggested and it's working. Thanks very much. – user1164035 Mar 10 '12 at 10:57

score 1 · Answer 2 · answered Mar 10 '12 at 08:44

check on the Content-Type header, you set it twice so the latter one will be used, it could be something like "Content-Type: file" due to function filetype(), the browser can't understand "file" content type and take it as a text file. I guess that's the cause of the extra 0x0a.
Comment "header("Content-Type: ".$type);" and it will work fine.

score 0 · Answer 3 · answered Mar 10 '12 at 08:38

0

replace below line

<?php
header("Content-Length: ".strlen($file));
?>

good luck :)

answered Mar 10 '12 at 08:38

Saiyam Patel

1,161
9
18

`$file` contains the *path* to the file, not the file contents itself. – Another Code Mar 10 '12 at 09:06
Ta for all other comments, websites are not really my field of expertise, I'm strictly a cut n paste merchant, so will look at all suggestions. Re Alex;s comments on security, should not the file permissions prevent – user1164035 Mar 10 '12 at 11:00

File downloaded in PHP using Firefox is wrong size

3 Answers3