Page 1 of 1

is this code safe? (download.php)

Posted: Sat Dec 29, 2007 5:40 pm
by jonwondering
Just wondering, when this code is used to download an image off of the website (not localhost), is the code safe? I read something somewhere that said it's possible to do an overflow attack on it by modifying the image file:

Code: Select all

$filename = 'http://whatever.com/image.jpg';
header("Content-Disposition: attachment; filename=\"" . basename($filename) . "\"");
header("Content-Type: application/octet-stream");
header("Content-Length: " . basename(filesize($filename)));
header("Pragma: no-cache");
header("Expires: 0");
readfile($filename);
And let's say the code checks to make sure that the filename is a valid image. Thanks.

Posted: Sat Dec 29, 2007 7:39 pm
by pickle
Seems fine with one exception. You've got basename() & filename() in reversed positions for the Content-Length header. You want:

Code: Select all

filesize(basename($filename))

Posted: Sat Dec 29, 2007 8:26 pm
by jonwondering
oh dang, i didn't even notice that... thanks.

Posted: Sat Dec 29, 2007 8:37 pm
by John Cartwright
This is an old vulnerability (2003).. so keep your versions up to date (specifically mod_security apache module) and you'll be fine :)

http://securitytracker.com/alerts/2003/Oct/1008025.html

Posted: Sat Dec 29, 2007 9:52 pm
by jonwondering
Cool. So I should be good then... Thanks again.