php下載文件

Question

嗨，我試圖從文件「上傳」下載文件。我使用薄COBE但結果卻是「對不起，該文件似乎不存在」

這裏是我的電話

<a href="download.php?filename=<?php $row4['Arxeio'] ?>">Click here 
to Download the File</a> 

和的download.php

<?php session_start(); 

$filename = $_GET['filename']; 

$download_path = './upload/'; 

if(eregi("\.\.", $filename)) die("I'm sorry, you may not download that file."); 

$file = str_replace("..", "", $filename); 
// Make sure we can't download .ht control files. if(eregi("\.ht.+", $filename)) die("I'm sorry, you may not download that file."); 

// Combine the download path and the filename to create the full path to the file. $file = '$download_path$filename'; 

// Test to ensure that the file exists. 
if(!file_exists($file)) die("I'm sorry, the file doesn't seem to exist."); 
// Extract the type of file which will be sent to the browser as a header 
$type = filetype($file); // Get a date and timestamp $today = date("F j, Y, g:i a"); $time = time(); // Send file headers header("Content-type: $type"); header("Content-Disposition: attachment;filename=$filename"); 
header("Content-Transfer-Encoding: binary"); 
header('Pragma: no-cache'); 
header('Expires: 0'); // Send the file contents. 
set_time_limit(0); 
readfile($file); 
?> 

Answer 1

在你的HTML，你需要echo的文件名也被寫入到輸出：

<a href='download.php?filename=<?php echo $row4['Arxeio']; ?>'>Click here to Download the File</a> 

當recei在PHP中瀏覽文件名，你必須針對目錄遍歷攻擊來驗證它。確認它不包含/或..。順便說一句，你有一個簡單的測試eregi()（which is deprecated），但它可以簡單地用strpos()完成。

if (strpos($filename, "..") >= 0 || strpos($filename, "/") >= 0) { 
    // Error! don't permit file download 
} 

查看PHP's documentation on NULL byte attack protection也是如此。

更好雖然是將$filename對有效文件名的白名單比較下載：

if (in_array($filename, array('file1.jpg', 'file2.txt', 'file3.mov',...)) { 
    // Ok, send the file. 
} 
else { 
    // Invalid file 
}