onBeforeDownload no longer work in hikashop 2.5.0

  • Posts: 78
  • Thank you received: 4
  • Hikamarket Multivendor Hikashop Business
9 years 3 months ago #211140

-- HikaShop version -- : 2.5.0
-- Error-message(debug-mod must be tuned on) -- : File not found

Hi,

I used a trigger onBeforeDownload and set the filename.

The filename goes up one level. e.g.

$filename = '../audios/mp3/file1.mp3'

Since hikashop 2.5.0 this does no longer work.
It worked before. Now, it looks like I can not go one level up in path.
I need to go one level up in path hierarchy....

Please advise how to solve this. Why does it no longer work ????

BR

Please Log in or Create an account to join the conversation.

  • Posts: 26158
  • Thank you received: 4028
  • MODERATOR
9 years 3 months ago #211141

Hi,

The security for the "sendFile" function has been increased.
The function only accept to send file which are in the upload folder or in the secure upload folder :

if(strpos($filename, '..') !== false)
	return false;
$clean_filename = JPath::clean($filename);
$secure_path = $this->getPath('file');
if((JPATH_ROOT != '') && strpos($path, JPath::clean(JPATH_ROOT)) !== 0 && strpos($clean_filename, JPath::clean($secure_path)) !== 0)
	return false;

So if, during the trigger "onBeforeDownloadFile", you want to send a file which is not in that path, the best is to send the file directly :
clearstatcache();
$size = filesize($filename);
$fileinfo = pathinfo($filename);

ob_end_clean();
ob_start();

$name = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ?
			preg_replace('/\./', '%2e', $fileinfo['basename'], substr_count($fileinfo['basename'], '.') - 1) :
			$fileinfo['basename'];

header("Expires: 0");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $name . '"');
header('Content-Length: ' . $size);
header("Cache-Control: maxage=1");
header("Pragma: public");
header("Content-Transfer-Encoding: binary");

$config = hikashop_config();
if($config->get('deactivate_buffering_and_compression', 0)) {
	ini_set('output_buffering', 0);
	ini_set('zlib.output_compression', 0);
	while(ob_get_level())
		@ob_end_clean();
}

$fp = fopen($filename, 'rb');
fseek($fp, 0);
if(!ini_get('safe_mode'))
	set_time_limit(0);

while(!feof($fp)) {
	print(fread($fp, 8192));
	@ob_flush();
	flush();
}

fclose($fp);
$dispatcher = JDispatcher::getInstance();
$dispatcher->trigger('onAfterDownloadFile', array( &$filename, &$file));
exit;

Regards,


Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

Time to create page: 0.055 seconds
Powered by Kunena Forum