WebsiteBaker 2.13.9 is now available!
R.I.P Dietmar (luisehahne) and thank you for all your valuable work for WBhttps://forum.websitebaker.org/index.php/topic,32355.0.html
<?php// Secure download for WebsiteBaker// original by VotreEspace see thread : https://forum.WebsiteBaker.org/index.php/topic,16282.msg106944.html#msg106944// adapted and improved by PCWacht (march-2010)//// Use as : WB-securedownload.php?file=/media/thisdocument.doc// //if (isset($_GET['file'])) { require("config.php"); # code the url $DEC = urldecode($_GET['file']); # set unallowed file, so nobody want to read /config.php or something $unallowed_to_read = array('php','html','htm','htaccess'); #Check for images, they should be shown $allowed_to_read = array('jpg','gif','png'); # remove any attempt to back up your folders $fichier = str_replace('../','',WB_PATH.'/media/'.urldecode($_GET['file'])); if(isset($_SESSION['USER_ID']) && SESSION_STARTED) { if(file_exists($fichier) && (!in_array(end(explode('.',$fichier)),$unallowed_to_read))) { header("Content-Type: " . mime_content_type($fichier)); header("Content-Length: " . filesize($fichier)); header("Content-Transfer-Encoding: binary"); header("Cache-Control: private"); header('Content-Disposition: attachment; filename="'.end(explode('/',$DEC)).'"'); echo file_get_contents($fichier); } else { # in case of absent file or attempt at hacking echo 'oups'; } } else { if(file_exists($fichier) && (in_array(end(explode('.',$fichier)),$allowed_to_read))) { header("Content-Type: " . mime_content_type($fichier)); header("Content-Length: " . filesize($fichier)); header("Content-Transfer-Encoding: binary"); header("Cache-Control: private"); header('Content-Disposition: attachment; filename="'.end(explode('/',$DEC)).'"'); echo file_get_contents($fichier); } else { # not logged in and no picture? forbidden! header('HTTP/1.0 403 forbidden', TRUE, 403); die('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>FORBIDDEN</h1> <p>Without being logged in you don't have permission to fetch <b>'.urldecode($_GET['file']).'</b> from this server server.</p> <p><a href="/account/login.php">Click for login.</a></p> </body></html> '); } }}else{ header('Location: ./');}?>
RewriteEngine onRewriteRule ^media/(.*)\.(.*)$ /WB-securedownload.php?file=$1.$2 [R,L]
Options +FollowSymlinksRewriteEngine onRewriteRule ^media/(.*)\.(.*)$ /WB-securedownload.php?file=$1.$2 [R,L]
Options +FollowSymlinksRewriteEngine onRewriteRule ^media/unterordner/(.*)\.(.*)$ /WB-securedownload.php?file=$1.$2 [R,L]
Options +FollowSymlinksRewriteEngine onRewriteBase / RewriteRule ^media/(.*)\.(.*)$ /WB-securedownload.php?file=$1.$2 [R,L]
<?php// Secure download for WebsiteBaker// original by VotreEspace see thread : https://forum.WebsiteBaker.org/index.php/topic,16282.msg106944.html#msg106944// adapted and improved by PCWacht (march-2010)//// Use as : WB-securedownload.php?file=/media/thisdocument.doc// //if (isset($_GET['file'])) { require("config.php"); # code the url $DEC = urldecode($_GET['file']); # set unallowed file, so nobody want to read /config.php or something $unallowed_to_read = array('php','html','htm','htaccess'); #Check for images, they should be shown $allowed_to_read = array('jpg','gif','png'); # remove any attempt to back up your folders $fichier = str_replace('../','',WB_PATH.'/media/'.urldecode($_GET['file'])); if(isset($_SESSION['USER_ID']) && SESSION_STARTED) { if(file_exists($fichier) && (!in_array(end(explode('.',$fichier)),$unallowed_to_read))) { header("Content-Type: " . mime_content_type($fichier)); header("Content-Length: " . filesize($fichier)); header("Content-Transfer-Encoding: binary"); header("Cache-Control: private"); header('Content-Disposition: attachment; filename="'.end(explode('/',$DEC)).'"'); echo file_get_contents($fichier); } else { # in case of absent file or attempt at hacking echo 'oups'; } } else { /*if(file_exists($fichier) && (in_array(end(explode('.',$fichier)),$allowed_to_read))) { header("Content-Type: " . mime_content_type($fichier)); header("Content-Length: " . filesize($fichier)); header("Content-Transfer-Encoding: binary"); header("Cache-Control: private"); header('Content-Disposition: attachment; filename="'.end(explode('/',$DEC)).'"'); echo file_get_contents($fichier); } else {*/ # not logged in and no picture? forbidden! header('HTTP/1.0 403 forbidden', TRUE, 403); die('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>FORBIDDEN</h1> <p>Without being logged in you dont have permission to fetch <b>'.urldecode($_GET['file']).'</b> from this server server.</p> <p><a href="/vWB_Verzeichnis/account/login.php">Click for login.</a></p> </body></html> '); } //}}else{ header('Location: ./');}?>
Was mich schon wundert ist, dass...
Will man "Dateien schützen", die nicht für die Öffentlichkeit bestimmt sind, greift man zu entsprechenden Systemen.
<?php// Secure download for WebsiteBaker// original by VotreEspace see thread : https://forum.WebsiteBaker.org/index.php/topic,16282.msg106944.html#msg106944// adapted and improved by PCWacht (march-2010)//// Use as : WB-securedownload.php?file=/media/thisdocument.doc// //if (isset($_GET['file'])) { require("config.php"); if(!function_exists('mime_content_type')) { function mime_content_type($filename) { $mime_types = array( 'txt' => 'text/plain', 'htm' => 'text/html', 'html' => 'text/html', 'php' => 'text/html', 'css' => 'text/css', 'js' => 'application/javascript', 'json' => 'application/json', 'xml' => 'application/xml', 'swf' => 'application/x-shockwave-flash', 'flv' => 'video/x-flv', // images 'png' => 'image/png', 'jpe' => 'image/jpeg', 'jpeg' => 'image/jpeg', 'jpg' => 'image/jpeg', 'gif' => 'image/gif', 'bmp' => 'image/bmp', 'ico' => 'image/vnd.microsoft.icon', 'tiff' => 'image/tiff', 'tif' => 'image/tiff', 'svg' => 'image/svg+xml', 'svgz' => 'image/svg+xml', // archives 'zip' => 'application/zip', 'rar' => 'application/x-rar-compressed', 'exe' => 'application/x-msdownload', 'msi' => 'application/x-msdownload', 'cab' => 'application/vnd.ms-cab-compressed', // audio/video 'mp3' => 'audio/mpeg', 'qt' => 'video/quicktime', 'mov' => 'video/quicktime', // adobe 'pdf' => 'application/pdf', 'psd' => 'image/vnd.adobe.photoshop', 'ai' => 'application/postscript', 'eps' => 'application/postscript', 'ps' => 'application/postscript', // ms office 'doc' => 'application/msword', 'rtf' => 'application/rtf', 'xls' => 'application/vnd.ms-excel', 'ppt' => 'application/vnd.ms-powerpoint', // open office 'odt' => 'application/vnd.oasis.opendocument.text', 'ods' => 'application/vnd.oasis.opendocument.spreadsheet', ); $ext = strtolower(array_pop(explode('.',$filename))); if (array_key_exists($ext, $mime_types)) { return $mime_types[$ext]; } elseif (function_exists('finfo_open')) { $finfo = finfo_open(FILEINFO_MIME); $mimetype = finfo_file($finfo, $filename); finfo_close($finfo); return $mimetype; } else { return 'application/octet-stream'; } } } # code the url $DEC = urldecode($_GET['file']); # set unallowed file, so nobody want to read /config.php or something $unallowed_to_read = array('php','html','htm','htaccess'); #Check for images, they should be shown $allowed_to_read = array('jpg','gif','png'); # remove any attempt to back up your folders $fichier = str_replace('../','',WB_PATH.'/media/'.urldecode($_GET['file'])); if(isset($_SESSION['USER_ID']) && SESSION_STARTED) { if(file_exists($fichier) && (!in_array(end(explode('.',$fichier)),$unallowed_to_read))) { header("Content-Type: " . mime_content_type($fichier)); header("Content-Length: " . filesize($fichier)); header("Content-Transfer-Encoding: binary"); header("Cache-Control: private"); header('Content-Disposition: attachment; filename="'.end(explode('/',$DEC)).'"'); echo file_get_contents($fichier); } else { # in case of absent file or attempt at hacking echo 'oups'; } } else { /*if(file_exists($fichier) && (in_array(end(explode('.',$fichier)),$allowed_to_read))) { header("Content-Type: " . mime_content_type($fichier)); header("Content-Length: " . filesize($fichier)); header("Content-Transfer-Encoding: binary"); header("Cache-Control: private"); header('Content-Disposition: attachment; filename="'.end(explode('/',$DEC)).'"'); echo file_get_contents($fichier); } else {*/ # not logged in and no picture? forbidden! header('HTTP/1.0 403 forbidden', TRUE, 403); die('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>FORBIDDEN</h1> <p>Without being logged in you dont have permission to fetch <b>'.urldecode($_GET['file']).'</b> from this server.</p> <p><a href="/pages/deu_top/haendler-login.php">Click for login.</a></p> </body></html> '); } //}}else{ header('Location: ./');}?>
<?php # remove any attempt to back up your folders $fichier = str_replace('../','',WB_PATH.'/media/'.urldecode($_GET['file']));
<?php $sMediaDir = str_replace('\\', '/', WB_PATH.'/media'); if( ($fichier = realpath(WB_PATH.'/media/'.urldecode($_GET['file']))) !== false) { $fichier = str_replace('\\', '/', $fichier); if( stripos($fichier, $sMediaDir) !== 0 ) { // ungueltiger Pfad } }else { // ungueltiger Pfad }