下载流媒体不返回真实文件。错误的内容类型或 mime?
Posted
技术标签:
【中文标题】下载流媒体不返回真实文件。错误的内容类型或 mime?【英文标题】:Download streamer isn't returning real files. Wrong Content-type or mime? 【发布时间】:2012-12-04 15:45:42 【问题描述】:一个 Python 应用程序说我通过 php 流媒体传输的 zip 文件不是 zip 文件。但是,winrar 可以毫无问题地打开它们。
这是它发送的标头:
Content-disposition: filename=example.zip
Content-type: application/zip; charset=binary
我需要更多/不同的标题吗?
下面是代码:
<?php
session_start();
if(!$_SESSION['directory'])
print "Sorry, only logged in users can view downloads";
exit;
;
?>
<?php
$hidden_file_directory = "download/".$_SESSION['directory']; //Name of the directory where all the sub directories and files exists
$file_path = $_GET['file']; //Get the file from URL variable
$real_file_path = realpath("$hidden_file_directory/$file_path"); //Set the file path w.r.t the download.php... It may be different for u
$filename = basename($real_file_path);
if(dirname($real_file_path) != getcwd() ."/". $hidden_file_directory)
die("File does not exist.");
if(file_exists($real_file_path))
$content_type = get_mime($real_file_path);
header("Content-disposition: filename=$filename"); //Tell the filename to the browser
header("Content-type: $content_type"); //Stream as a binary file! So it would force browser to download
readfile($real_file_path); //Read and stream the file
else
echo "File does not exist.";
function get_mime($filename)
$mime_types = array(
'txt' => 'text/plain',
'htm' => 'text/html',
'html' => 'text/html',
'php' => 'text/html',
'css' => 'text/css',
'js' => 'application/javascript',
'json' => 'application/json',
'xml' => 'application/xml',
'swf' => 'application/x-shockwave-flash',
'flv' => 'video/x-flv',
// images
'png' => 'image/png',
'jpe' => 'image/jpeg',
'jpeg' => 'image/jpeg',
'jpg' => 'image/jpeg',
'gif' => 'image/gif',
'bmp' => 'image/bmp',
'ico' => 'image/vnd.microsoft.icon',
'tiff' => 'image/tiff',
'tif' => 'image/tiff',
'svg' => 'image/svg+xml',
'svgz' => 'image/svg+xml',
// archives
'zip' => 'application/zip',
'rar' => 'application/x-rar-compressed',
'exe' => 'application/x-msdownload',
'msi' => 'application/x-msdownload',
'cab' => 'application/vnd.ms-cab-compressed',
// audio/video
'mp3' => 'audio/mpeg',
'qt' => 'video/quicktime',
'mov' => 'video/quicktime',
// adobe
'pdf' => 'application/pdf',
'psd' => 'image/vnd.adobe.photoshop',
'ai' => 'application/postscript',
'eps' => 'application/postscript',
'ps' => 'application/postscript',
// ms office
'doc' => 'application/msword',
'rtf' => 'application/rtf',
'xls' => 'application/vnd.ms-excel',
'ppt' => 'application/vnd.ms-powerpoint',
// open office
'odt' => 'application/vnd.oasis.opendocument.text',
'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
);
$ext = strtolower(array_pop(explode('.',$filename)));
if (array_key_exists($ext, $mime_types))
return $mime_types[$ext];
elseif (function_exists('finfo_open'))
$finfo = finfo_open(FILEINFO_MIME);
$mimetype = finfo_file($finfo, $filename);
finfo_close($finfo);
return $mimetype;
else
return 'application/octet-stream';
?>
编辑 - 我添加了:
if(dirname($real_file_path) != getcwd() ."/". $hidden_file_directory)
die("File does not exist.");
当那些指出不安全感的人时。希望这足够安全。
【问题讨论】:
请注意,您正在向远程文件窃取敞开大门……您允许用户直接通过 $_GET 指定文件名,并且没有人说不会尝试http://example.com/yourscript.php?file=../../../../../../etc/passwd
。
【参考方案1】:
我注意到有些浏览器需要将文件名用双引号括起来,或者他们不知道它是什么,也许 python 也是如此。尝试发送
header("Content-disposition: filename=\"$filename\"");
您还确定它实际上是application/zip
而不是application/x-zip-compressed
?
附带说明:您直接使用查询字符串中的文件名。如果我将文件名发送为file=..\..\..\..\..\..\systemdir\config.xml
会怎样?也许您应该添加一些检查。 basename() 像你使用下一步可能是个好主意。
【讨论】:
到目前为止,测试似乎支持您提到的引号,但有趣的是,我无法复制撤消更改时遇到的原始错误。以上是关于下载流媒体不返回真实文件。错误的内容类型或 mime?的主要内容,如果未能解决你的问题,请参考以下文章
如何使用Retrofit解决IllegalArgumentException“格式错误的内容类型:...”