Open pdf and mp3 attachment without save dialog

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

In phpbb2 with the attachment mod, pdf attachments and mp3 attachments worked just fine to download. I.e. pdf attachements opened inside the browser window as pdf attachments normally do. Mp3 attachments opened in quicktime (for me in my Firefox browser) as a grey horizontal quicktime bar inside the browser window, starting to play the file while the file was at the same time downloading; in IE6 the mp3 file opened in the Media toolbar to the left in the browser window, also playing while downloading.

In phpbb3, the download method seems to have changed. When clicking on a pdf or mp3 attachment it doesn't open immediately. Instead a save dialog window appears, and you have to save the file on your computer before it can be viewed or played. It's not possible to view the pdf file inside the browser window, neither to play the file as it is being downloaded. This applies to IE6 and Firefox 2.0. This is a major drawback to the phpbb3 attachment function, compared to the attachment mod with phpbb2.

It seems not to be possible to change this in the attachment settings in the administrator panel. I tried to set the mp3 streams to quicktime, but it didn't work well. First, the thread I tried, which had 10 mp3 file attachments of around 5 MB each, was downloading all the attachments belonging to the thread, making the thread very slow to load. Second, when clicking on the quicktime links, Firefox crashed. I also tried the windows media file setting, with similar result (no crashing though).

Someone who knows how to change the download method, so that pdf attachments can be viewed inside the browser window, which is the normal expected behaviour, and so that mp3 attachments can be played with quicktime inside the browser window as the file is being downloaded?

Would appreciate any help.
User avatar
christhatsme
Registered User
Posts: 1811
Joined: Sun Jan 16, 2005 10:42 am
Location: London, UK

Re: Open pdf and mp3 attachment without save dialog

Post by christhatsme »

its because the headers are sent as file, for it to be sent as a pdf and opened in the window, you would have to put a condition a round that, and check if the file type is pdf, send the correct headers instead.
All MOD downloads should be back now - Sorry for that and serious lack of support! - If anyone wants to take over or help with any of my MODs the offer would be apreciated as I have little time for phpBB Modding recently!

Again very sorry for not supporting these MODs recently.
ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Open pdf and mp3 attachment without save dialog

Post by ToonArmy »

And so you know it was done for security reasons.
Chris SmithGitHub
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Re: Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

Thank's folks, I figured that out myself as well (the header thing), and made a fix into download.php, look below. It's a pitty though that it's not optional for the forumadmin to set wheter pdf's and mp3's and similar pretty safe files should open directly in the browser window. It should be the responsibility of the administrator to choose what level of security vs. userfriendliness is best. I suggest that to be an option for the next version of phpBB3.

Here comes the fix:

Code: Select all

#
#--[ FIND (in download.php, in function send_file_to_browser) ]--
#
	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
	header('Content-Type: ' . $attachment['mimetype']);
 
	if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
	{
		header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
		if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
		{
			header('expires: -1');
		}
	}
	else
	{
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}

#
#-----[ REPLACE WITH ]------------------------------------------
#
	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
	if (substr($attachment['real_filename'], -4) == ".mp3")
	{
		header('Content-Type: audio/mpeg');
	}
	else
	if (substr($attachment['real_filename'], -4) == ".pdf")
	{
		header('Content-Type: application/pdf');
	}
	else
	{
		header('Content-Type: ' . $attachment['mimetype']);
	}
 
	if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
	{
		//header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
		if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
		{
			header('expires: -1');
		}
	}
	else
	{
		//header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}
User avatar
christhatsme
Registered User
Posts: 1811
Joined: Sun Jan 16, 2005 10:42 am
Location: London, UK

Re: Open pdf and mp3 attachment without save dialog

Post by christhatsme »

it was written like that for a reason, I'm not sure if its entirely wise changing that...
All MOD downloads should be back now - Sorry for that and serious lack of support! - If anyone wants to take over or help with any of my MODs the offer would be apreciated as I have little time for phpBB Modding recently!

Again very sorry for not supporting these MODs recently.
User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: Open pdf and mp3 attachment without save dialog

Post by Kellanved »

Mårten Berglund wrote: Here comes the fix:
Congratulations. You have just introduced an persistent XSS vulnerability into your board.
Nocando is in Idontwanna county. No support via PM
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Re: Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

christhatsme wrote:it was written like that for a reason, I'm not sure if its entirely wise changing that...
I may not have done the fix in the best manner. Please tell me how to do it better, keeping security and still keeping the feature that pdf's and mp3's will open in the browser window.
Kellanved wrote:
Mårten Berglund wrote: Here comes the fix:
Congratulations. You have just introduced an persistent XSS vulnerability into your board.
Please tell me how to do it better if it's possible.

NB! My forum is an internal one, behind a .htaccess password, just accessible for a small group of people, so my forum's vulnerability is therefore not a big issue anymore, is it? It can't be that unusual that forums are internal. Therefore, phpBB3 should have a radio button option that by default disables this feature, but, with care, could be enabled by the forumadmin. Don't you think?
User avatar
christhatsme
Registered User
Posts: 1811
Joined: Sun Jan 16, 2005 10:42 am
Location: London, UK

Re: Open pdf and mp3 attachment without save dialog

Post by christhatsme »

There isn't a better way to do it or it would have been done..

If you trust those who do have access, its your choice.
All MOD downloads should be back now - Sorry for that and serious lack of support! - If anyone wants to take over or help with any of my MODs the offer would be apreciated as I have little time for phpBB Modding recently!

Again very sorry for not supporting these MODs recently.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Open pdf and mp3 attachment without save dialog

Post by Techie-Micheal »

Mårten Berglund wrote:It can't be that unusual that forums are internal. Therefore, phpBB3 should have a radio button option that by default disables this feature, but, with care, could be enabled by the forumadmin. Don't you think?
The vast majority of boards are very much public, rather than private. If we were to go the majority route, the default would be the way they are right now. If we were to go the most secure route (don't let marketing talk fool you, you can never be 100% secure), it would be the way things are right now. If you feel the benefit outweighs the risk for you, feel free to go for it, but I don't think it wise for us to implement an on/off switch as people will probably get the "feature fever" and turn it on (as they do with HTML on phpBB2) without realizing its implications.

Instead, the concession is that if they wish, they can change the source code.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
christhatsme
Registered User
Posts: 1811
Joined: Sun Jan 16, 2005 10:42 am
Location: London, UK

Re: Open pdf and mp3 attachment without save dialog

Post by christhatsme »

htaccess is not actually always as secure as you may think...

Just because your forum is guarded by it, doesn't mean the guardsman might go wrong ;)

Its very unlikely, but you never know :lol:
All MOD downloads should be back now - Sorry for that and serious lack of support! - If anyone wants to take over or help with any of my MODs the offer would be apreciated as I have little time for phpBB Modding recently!

Again very sorry for not supporting these MODs recently.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Open pdf and mp3 attachment without save dialog

Post by Techie-Micheal »

It has happened before. Granted, it was an odd set of events, but if memory serves me correctly, someone was stating that someone was getting access to their private board that was behind .htaccess. So we looked at brute forcing the password (a possibility) but it turned out the testing board was public while the live board was behind closed doors, and with permissions not setup correctly, that only spelled disaster, as they shared the same database. I may have some things wrong, but I think that's how it happened. The point is, what you may think is private very well may not be.
Proven Offensive Security Expertise. OSCP - GXPN
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Re: Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

Thanks for all replies, and I understand the security issue here, and maybe it's best to have this option I propose ready only for those who would like to make changes in the source code, as I have done. Some final thoughts/questions then:

1) But still - and maybe this is not the right place to ask this - where lies a vulnerability in allowing pdf's and mp3's to be viewed directly in the browser? I thought pdf's and mp3's didn't have any executable code in it, contrary to Word documents.

2) It seems to be a contradiction also that windows media files and quicktime files can be played directly, when applying the corresponding special category to mp3/wma files.

3) Talking about quicktime, do you know anything about my problem that Firefox crashed when I tried to use the quicktime mode for file downloading?
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Re: Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

One more thing. I've noticed with the new handling of downloads in phpBB3, when saving, the file name becomes just as expected. That's a very good thing. With my hack, every file gets the name download.php when saving, and that's of course a drawback.

My new wish is therefore (also due to your comments) the following: When downloading a dialog comes up, asking you whether to save the file (with the correct file name) or open the file directly in the browser window (not preserving the file name, at least it doesn't seem possible).

Do you know any way to write the code to make this possible?
Xabi
Registered User
Posts: 460
Joined: Wed May 23, 2007 9:04 am

Re: Open pdf and mp3 attachment without save dialog

Post by Xabi »

I'm also interested in a possible (and secure) workaround for this...
User avatar
christhatsme
Registered User
Posts: 1811
Joined: Sun Jan 16, 2005 10:42 am
Location: London, UK

Re: Open pdf and mp3 attachment without save dialog

Post by christhatsme »

There isn't one other wise it would be in place.
All MOD downloads should be back now - Sorry for that and serious lack of support! - If anyone wants to take over or help with any of my MODs the offer would be apreciated as I have little time for phpBB Modding recently!

Again very sorry for not supporting these MODs recently.
Locked

Return to “phpBB Discussion”