Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP: Force download header wont show total size and speed

Tags:

php

download

Whenever I use this script to download a file, I can't see the total size and the speed while downloading... I want to to make it look more like the 'direct download link'. The purpose of this script is to hide the direct download link restrict direct downloading and other download behavior, like bots. Think of mediafire, rapidshare, megaupload etc.

The script we have now works but is not displayed as how it is displayed when you download from a normal download link, I will post a screenshot of what's happening:
enter image description here

I hope this screenshot helps, because I've searched the internet for hours and can't seem to find a solution to this :(.

if (isset($_GET['file'])){
   $file = $_GET['file'];
   $path = '/home/user/domains/domain.com/files/upload/';
   $filepath = $path.$file;

   if (file_exists($filepath)){

    set_time_limit(0); // for slow connections

    header('Content-Description: File Transfer');
    header("Content-Disposition: attachment; filename=\"$file\"");
    header('Content-Type: application/octet-stream');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . filesize($filepath));
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Expires: 0');

    readfile($filepath); // send file to client 
   } 
   else{
    header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404); 
   }
  }else{
   header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404); 
  }
like image 351
Yuki Kutsuya Avatar asked Nov 04 '22 09:11

Yuki Kutsuya


1 Answers

Is the content being compressed at the server level with mod_deflate or something similar?

This has been answered here: Sending correct file size with PHP download script

"If you compress files with Zlib, mod_deflate and so on the Content-Length header won't be accurate so you'll end up seeing "Unknown size" and "Unknown time remaining" when downloading files."

"You can easily disable it for a single script using the following line in an applicable .htaccess file:

SetEnvIfNoCase Request_URI ^/download.php no-gzip dont-vary where download.php is here assumed to be in the download script located in the server's root directory path (e.g. www.crimsonbase.com/download.php). (That's because the regular expression is ^/download.php.)"

Also, please note that your script is insecure. Someone could effectively send the following get parameter for _GET['file']

../../../../../Documents/MyStuff

and it will override your $path restriction entirely.

Suggest stripping out any .. references in the path.

like image 135
Michael Blake Avatar answered Nov 11 '22 06:11

Michael Blake