PHP - How to set full directory path in Content-Disposition?

php content-disposition
John M picture John M · Nov 18, 2009 · Viewed 18.1k times · Source

I am passing a filename to a download page.
ie somefile.xls

The download page adds back in the full directory path onto the filename.
ie c:\temp\somefile.xls

The problem is that now setting the 'Content-Disposition' of the header doesn't work. The filename it wants to download is the full directory-filename path. ie c_temp_somefile

Can the Content-Disposition handle a full path?

If it can how do I get my script to properly download the file?

Code is:

$myad = $_GET['myad'];
$glob_string =  realpath('/foldera/folderb/folderc'). DIRECTORY_SEPARATOR .$myad;

header('Content-Type: application/excel');
$headerstring = 'Content-Disposition: attachment; filename='.$glob_string;
header($headerstring);
readfile($myad);

UPDATED code (from answers):

$myad = $_GET['myad'];
$glob_string =  realpath('/mit/mit_tm/mrl_bol'). DIRECTORY_SEPARATOR .$myad;

header('Content-Type: application/excel');
$headerstring = 'Content-Disposition: attachment; filename='.$myad;
header($headerstring);
readfile($glob_string);

Answer

Ferdinand Beyer picture Ferdinand Beyer · Nov 18, 2009

Don't pass the full path via the header string, but use the base name ($myad) instead.

You should really use a better validation for $_GET['myad'], since your script will pass arbitrary paths to the user (readfile() gets the unfiltered user input). This is a security hole!

Calculate the real path using realpath, make sure that the file is within a allowed folder, then use basename() on the full path to get the plain file name. Pass this substring via the Content-Disposition header, but use the real path for readfile().

UPDATE: Your updated code still contains a security hole. If $_GET['myad'] contained ../../../some/full/path, your script would happily send any requested readable file to the client.

You should use something along the lines of the following snippet:

$myad = $_GET['myad'];

$rootDir = realpath('/mit/mit_tm/mrl_bol');
$fullPath = realpath($rootDir . '/' . $myad);

// Note that, on UNIX systems, realpath() will return false if a path
// does not exist, but an absolute non-existing path on Windows.
if ($fullPath && is_readable($fullPath) && dirname($fullPath) === $rootDir) {
    // OK, the requested file exists and is in the allowed root directory.
    header('Content-Type: application/excel');
    // basename() returns just the file name.
    header('Content-Disposition: attachment; filename=' . basename($fullPath));
    readfile($fullPath);
}

Related questions

How to implement Content-Disposition: attachment?

I am trying to make it so that mp3's on my site are downloaded by left clicking instead of having to right click and save as, So in order to do that, I have to set the Content-Disposition: attachment. …

Read More
Content-disposition:inline header won't show images inline?

I'm trying to show an image inline on a page. It is being served by a codeigniter controller. class Asset extends MY_Controller { function index( $folder, $file ) { $asset = "assets/$folder/$file"; if ( !file_exists( $asset ) ) { show_404(); return; } switch ( $folder ) { case …

Read More
Header Location + Content Disposition

So I have a downloads page where you click a link, it opens /downloads/download/randomhash randomhash is found in the db, i increment a download counter, and then redirect to the actual file e.g. /uploads/2012/file.png. Everything …

Read More