Posted by deko on 08/28/06 22:34

I think this is as good as it gets...

/*
An Internal Server Error will be received if 'fileinfo' is passed manually
to this script (user types the URL with variables). But this protection is
only available if script resides in /cgi-bin. If this script must reside
outside of /cgi-bin, try password protecting the directory with htaccess.
*/
$info = trim($_GET['info']);
$info_array = explode(".", $info);
$directory = $info_array[0]."/";
$filename = $info_array[1].".".$info_array[2];
$extension = $info_array[2];
$filedownload = "/home/username/nonpublic/".$directory.$filename;
header("Content-Disposition: attachment; filename=".$filename);
header('Content-type: application/'.$extension);
header("Content-Length: ".filesize($filedownload));
readfile($filedownload);

Regardless of where this script resides, I assume the URL (and variables) can
easilly be sniffed on the wire when the request is made.

Can username/password also be sniffed from user entries in the dialog generated
by htaccess? If so, the only way to ensure any security over who downloads what
is to have this script in /cgi-bin.

Is this correct?

[Back to original message]