Hi,
The security for the "sendFile" function has been increased.
The function only accept to send file which are in the upload folder or in the secure upload folder :
if(strpos($filename, '..') !== false)
return false;
$clean_filename = JPath::clean($filename);
$secure_path = $this->getPath('file');
if((JPATH_ROOT != '') && strpos($path, JPath::clean(JPATH_ROOT)) !== 0 && strpos($clean_filename, JPath::clean($secure_path)) !== 0)
return false;
So if, during the trigger "onBeforeDownloadFile", you want to send a file which is not in that path, the best is to send the file directly :
clearstatcache();
$size = filesize($filename);
$fileinfo = pathinfo($filename);
ob_end_clean();
ob_start();
$name = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ?
preg_replace('/\./', '%2e', $fileinfo['basename'], substr_count($fileinfo['basename'], '.') - 1) :
$fileinfo['basename'];
header("Expires: 0");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $name . '"');
header('Content-Length: ' . $size);
header("Cache-Control: maxage=1");
header("Pragma: public");
header("Content-Transfer-Encoding: binary");
$config = hikashop_config();
if($config->get('deactivate_buffering_and_compression', 0)) {
ini_set('output_buffering', 0);
ini_set('zlib.output_compression', 0);
while(ob_get_level())
@ob_end_clean();
}
$fp = fopen($filename, 'rb');
fseek($fp, 0);
if(!ini_get('safe_mode'))
set_time_limit(0);
while(!feof($fp)) {
print(fread($fp, 8192));
@ob_flush();
flush();
}
fclose($fp);
$dispatcher = JDispatcher::getInstance();
$dispatcher->trigger('onAfterDownloadFile', array( &$filename, &$file));
exit;
Regards,
HIKASHOP ESSENTIAL 60€The basic version. With the main features for a little shop.
HIKAMARKETAdd-on Create a multivendor platform. Enable many vendors on your website.
HIKASERIALAdd-on Sale e-tickets, vouchers, gift certificates, serial numbers and more!
MARKETPLACEPlugins, modules and other kinds of integrations for HikaShop
