In the apache forum I got help from user feherke on a method to serve large JPEGs as attachments rather than inline.
The script is working reliably. BUT I am concerned about security.
My concern with this tho is that someone might manipulate the request string to get access to files that are not meant to be accessed (?filename=../.passwd or something like that).
I *think* my script limits them to only accessing JPEGs and only accessing the images/press directory. But I thought I would post here to see if anyone else had any security tips...
<?php
/*
*** getimage ***
phr 14 june 2007
the purpose of this script is to serve large jpegs as downloads, while
smaller jpegs are served inline as usual.
it is intended to be used in conjunction with an htaccess rewrite
*/
$pathinfo = pathinfo(__FILE__);
$hostroot = $pathinfo['dirname'];
$filename= $_GET['filename']; // grab the value of the requested file from the url
$ok=file_exists($hostroot . $filename);
// for security reasons we want to allow this script to only function inside certain directories
$safedirectory = "$hostroot/images/press";
if ($ok) { // the file exists
$filepath = pathinfo($hostroot . $filename);
if (strpos($filepath['dirname'],"$safedirectory") === "0" AND ($filepath['extension']=='jpeg' OR $filepath['extension']=='jpg')){
// the file is in the images directory, and is a jpeg
$ok = true;
}
}
if ($ok) { // the file is in the images directory, and is a jpeg
$filesize = filesize($hostroot . $filename);
if ($filesize > 500*1024) { // image is larger than 500KB
header('Content-Disposition: attachment');
header('Content-type: application/octet-stream');
header ("Content-Length: $filesize");
}
else { // image is smaller than 500KB
header('Content-type: image/jpeg');
header ("Content-Length: $filesize");
}
readfile($hostroot . $filename);
return;
}
header('HTTP/1.0 404 Not Found');
?>
<html>
<head>
<title>Error 404</title>
<head>
<body>
<h1>Error 404 - Not Found</h1>
<p>The requested file, "<?php echo $filename; ?>", does not exists.</p>
</body>
</html>
The script is working reliably. BUT I am concerned about security.
My concern with this tho is that someone might manipulate the request string to get access to files that are not meant to be accessed (?filename=../.passwd or something like that).
I *think* my script limits them to only accessing JPEGs and only accessing the images/press directory. But I thought I would post here to see if anyone else had any security tips...
<?php
/*
*** getimage ***
phr 14 june 2007
the purpose of this script is to serve large jpegs as downloads, while
smaller jpegs are served inline as usual.
it is intended to be used in conjunction with an htaccess rewrite
*/
$pathinfo = pathinfo(__FILE__);
$hostroot = $pathinfo['dirname'];
$filename= $_GET['filename']; // grab the value of the requested file from the url
$ok=file_exists($hostroot . $filename);
// for security reasons we want to allow this script to only function inside certain directories
$safedirectory = "$hostroot/images/press";
if ($ok) { // the file exists
$filepath = pathinfo($hostroot . $filename);
if (strpos($filepath['dirname'],"$safedirectory") === "0" AND ($filepath['extension']=='jpeg' OR $filepath['extension']=='jpg')){
// the file is in the images directory, and is a jpeg
$ok = true;
}
}
if ($ok) { // the file is in the images directory, and is a jpeg
$filesize = filesize($hostroot . $filename);
if ($filesize > 500*1024) { // image is larger than 500KB
header('Content-Disposition: attachment');
header('Content-type: application/octet-stream');
header ("Content-Length: $filesize");
}
else { // image is smaller than 500KB
header('Content-type: image/jpeg');
header ("Content-Length: $filesize");
}
readfile($hostroot . $filename);
return;
}
header('HTTP/1.0 404 Not Found');
?>
<html>
<head>
<title>Error 404</title>
<head>
<body>
<h1>Error 404 - Not Found</h1>
<p>The requested file, "<?php echo $filename; ?>", does not exists.</p>
</body>
</html>
