Php 下载拖缆isn';不要返回真实的文件。错误的内容类型或mime?
一个Python应用程序说我通过PHP拖缆传输的zip文件不是zip文件。然而,winrar打开它们时没有任何问题 这是它正在发送的标题:Php 下载拖缆isn';不要返回真实的文件。错误的内容类型或mime?,php,stream,content-type,mime,Php,Stream,Content Type,Mime,一个Python应用程序说我通过PHP拖缆传输的zip文件不是zip文件。然而,winrar打开它们时没有任何问题 这是它正在发送的标题: Content-disposition: filename=example.zip Content-type: application/zip; charset=binary 我需要更多/不同的标题吗 代码如下: <?php session_start(); if(!$_SESSION['directory']){ print "Sorry,
Content-disposition: filename=example.zip
Content-type: application/zip; charset=binary
<?php
session_start();
if(!$_SESSION['directory']){
print "Sorry, only logged in users can view downloads";
exit;
};
?>
<?php
$hidden_file_directory = "download/".$_SESSION['directory']; //Name of the directory where all the sub directories and files exists
$file_path = $_GET['file']; //Get the file from URL variable
$real_file_path = realpath("$hidden_file_directory/$file_path"); //Set the file path w.r.t the download.php... It may be different for u
$filename = basename($real_file_path);
if(dirname($real_file_path) != getcwd() ."/". $hidden_file_directory)
die("File does not exist.");
if(file_exists($real_file_path)) {
$content_type = get_mime($real_file_path);
header("Content-disposition: filename=$filename"); //Tell the filename to the browser
header("Content-type: $content_type"); //Stream as a binary file! So it would force browser to download
readfile($real_file_path); //Read and stream the file
}
else {
echo "File does not exist.";
}
function get_mime($filename) {
$mime_types = array(
'txt' => 'text/plain',
'htm' => 'text/html',
'html' => 'text/html',
'php' => 'text/html',
'css' => 'text/css',
'js' => 'application/javascript',
'json' => 'application/json',
'xml' => 'application/xml',
'swf' => 'application/x-shockwave-flash',
'flv' => 'video/x-flv',
// images
'png' => 'image/png',
'jpe' => 'image/jpeg',
'jpeg' => 'image/jpeg',
'jpg' => 'image/jpeg',
'gif' => 'image/gif',
'bmp' => 'image/bmp',
'ico' => 'image/vnd.microsoft.icon',
'tiff' => 'image/tiff',
'tif' => 'image/tiff',
'svg' => 'image/svg+xml',
'svgz' => 'image/svg+xml',
// archives
'zip' => 'application/zip',
'rar' => 'application/x-rar-compressed',
'exe' => 'application/x-msdownload',
'msi' => 'application/x-msdownload',
'cab' => 'application/vnd.ms-cab-compressed',
// audio/video
'mp3' => 'audio/mpeg',
'qt' => 'video/quicktime',
'mov' => 'video/quicktime',
// adobe
'pdf' => 'application/pdf',
'psd' => 'image/vnd.adobe.photoshop',
'ai' => 'application/postscript',
'eps' => 'application/postscript',
'ps' => 'application/postscript',
// ms office
'doc' => 'application/msword',
'rtf' => 'application/rtf',
'xls' => 'application/vnd.ms-excel',
'ppt' => 'application/vnd.ms-powerpoint',
// open office
'odt' => 'application/vnd.oasis.opendocument.text',
'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
);
$ext = strtolower(array_pop(explode('.',$filename)));
if (array_key_exists($ext, $mime_types)) {
return $mime_types[$ext];
}
elseif (function_exists('finfo_open')) {
$finfo = finfo_open(FILEINFO_MIME);
$mimetype = finfo_file($finfo, $filename);
finfo_close($finfo);
return $mimetype;
}
else {
return 'application/octet-stream';
}
}
?>
当那些人指出不安全的时候。希望这足够安全。我注意到一些浏览器需要双引号引用文件名,或者他们不知道它是什么,也许python也这样做。尝试发送
header("Content-disposition: filename=\"$filename\"");
application/zipapplication/x-zip-compressed另请注意:您使用的是直接来自查询字符串的文件名。如果我将文件名作为
file=..\..\..\..\..\..\..\systemdir\config.xmlhttp://example.com/yourscript.php?file=../../../../../../etc/passwd header("Content-disposition: filename=\"$filename\"");