Why and wherefore file downloads

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I lifted something close to this off google, edited and now have it
working along with a cgi script of my own.

I'm way under skilled in this and I have noticed something remarkable
about the php part of the setup:  

-------        ---------       ---=---       ---------      --------


   // The file path where the file exists
   $filepath = "**HERE**".$_GET['filename']."";
   header("Pragma: public");
   header("Expires: 0");
   header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
   //setting content type of page
   header("Content-Type: application/force-download");
   header("Content-Disposition: attachment; filename=".basename($filepath ));
   header("Content-Description: File Transfer");
   //Read File it will start downloading

-------        ---------       ---=---       ---------      --------

Notice the asterisked  `**HERE**' in line 2.

It does not seem to matter what I put there, the script still works.

I started out carefully putting the exact path there but later noticed
that it worked no matter what I put there.

Can anyone tell me why that is so?

-------        ---------       ---=---       ---------      --------
The cgi that calls the php code is short so included below as well.
-------        ---------       ---=---       ---------      --------
cgi (note that the actual files for download are in `DocumentRoot/fr/':

------- 8< snip ---------- 8< snip ---------- 8<snip -------

use strict;
use warnings;
use diagnostics;

my ($frdir,$reg, @files, $php);
$php = './Frommohitsharma.net.php';
$reg = qr/\.(html|php|cgi|shtml|css|swf|sw[op]|~)$/;
$frdir = "../fr/";

print "content-type: text/html\n\n";

print "<html> <head>
<title>Free stuff </title>
<h3> Assorted downloads </h3>
<body bgcolor=\"beige\">


opendir my $dh, "$frdir" or die "Can't open $frdir: $!";

## exclude files matching $reg
@files = grep {!/$reg/ && -f "$frdir/$_"} readdir $dh;

for(sort @files){
  my $sz = (stat ("$frdir/$_"))[7];
    $sz = ($sz / 1024.00 /1024.00 );
  printf "%s %.2f %s\n", "<li> <h5><h3><a href=\"$php?filename=$_\"><font
size=\"1\" color=\"black\">sz:", $sz," mb - </font> $_</h3></a>\n";

print "</ul>

Re: Why and wherefore file downloads

Am 14.01.2012 19:43, schrieb Harry Putnam:
Quoted text here. Click to load it

Quoted text here. Click to load it

Quoted text here. Click to load it

your perl calls Frommohitsharma.net.php, but you print  From_mohitsharma.net.php.

You are calling a different script.

This is the only explanation because the parameter filepath is used unchanged in
readfile() function and it should not work if you change it.

BTW, this looks terribly unsecure.


Re: Why and wherefore file downloads

Quoted text here. Click to load it

No, that is something added when I wrote this message,  It was to
indicate the php script and typed wrong inadvertently, not a typo
exactly, more like a memory lapse.

But it would have no bearing on what gets called.

The script being called is whatever is in the variable $php and there
is only one such script available.

Quoted text here. Click to load it

That is the odd part.  Even if I do change it so that it doesn't really
point to the files, it still works.

For example, I just tried this:

 $filepath = "".$_GET['filename'].""; # no path listed at all.

Yet I am still shown an mp3 to play or download.

And this:
 $filepath = "/not".$_GET['filename'].""; ## wrong non-existent path
                                          ##  listed

At first I thought it might be because the mp3s where in the same dir
as the php script.  So I changed that just to find out.

The 1 lonesome mp3 has been moved to /test

I don't have root on the server but can control my little bit of it.

PS - do you mind explaining a bit in an off-group (via email) message,
what you mean by the bit about insecure?
Note: I do not munge my email address ... its real.

Re: Why and wherefore file downloads

Am 17.01.2012 02:01, schrieb Harry Putnam:

Quoted text here. Click to load it

I mean there is nothing more inviting to poke around even for occasional users
putting a download filename into the url.


Site Timeline