Open pdf and mp3 attachment without save dialog

Mårten Berglund · Post by **Mårten Berglund** » Mon Jun 11, 2007 9:14 pm

In phpbb2 with the attachment mod, pdf attachments and mp3 attachments worked just fine to download. I.e. pdf attachements opened inside the browser window as pdf attachments normally do. Mp3 attachments opened in quicktime (for me in my Firefox browser) as a grey horizontal quicktime bar inside the browser window, starting to play the file while the file was at the same time downloading; in IE6 the mp3 file opened in the Media toolbar to the left in the browser window, also playing while downloading.

In phpbb3, the download method seems to have changed. When clicking on a pdf or mp3 attachment it doesn't open immediately. Instead a save dialog window appears, and you have to save the file on your computer before it can be viewed or played. It's not possible to view the pdf file inside the browser window, neither to play the file as it is being downloaded. This applies to IE6 and Firefox 2.0. This is a major drawback to the phpbb3 attachment function, compared to the attachment mod with phpbb2.

It seems not to be possible to change this in the attachment settings in the administrator panel. I tried to set the mp3 streams to quicktime, but it didn't work well. First, the thread I tried, which had 10 mp3 file attachments of around 5 MB each, was downloading all the attachments belonging to the thread, making the thread very slow to load. Second, when clicking on the quicktime links, Firefox crashed. I also tried the windows media file setting, with similar result (no crashing though).

Someone who knows how to change the download method, so that pdf attachments can be viewed inside the browser window, which is the normal expected behaviour, and so that mp3 attachments can be played with quicktime inside the browser window as the file is being downloaded?

Would appreciate any help.

christhatsme · Post by **christhatsme** » Tue Jun 12, 2007 7:32 am

its because the headers are sent as file, for it to be sent as a pdf and opened in the window, you would have to put a condition a round that, and check if the file type is pdf, send the correct headers instead.

ToonArmy · Post by **ToonArmy** » Tue Jun 12, 2007 8:42 am

And so you know it was done for security reasons.

Mårten Berglund · Post by **Mårten Berglund** » Tue Jun 12, 2007 7:20 pm

Thank's folks, I figured that out myself as well (the header thing), and made a fix into download.php, look below. It's a pitty though that it's not optional for the forumadmin to set wheter pdf's and mp3's and similar pretty safe files should open directly in the browser window. It should be the responsibility of the administrator to choose what level of security vs. userfriendliness is best. I suggest that to be an option for the next version of phpBB3.

Here comes the fix:

Code: Select all

#
#--[ FIND (in download.php, in function send_file_to_browser) ]--
#
	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
	header('Content-Type: ' . $attachment['mimetype']);
 
	if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
	{
		header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
		if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
		{
			header('expires: -1');
		}
	}
	else
	{
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}

#
#-----[ REPLACE WITH ]------------------------------------------
#
	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
	if (substr($attachment['real_filename'], -4) == ".mp3")
	{
		header('Content-Type: audio/mpeg');
	}
	else
	if (substr($attachment['real_filename'], -4) == ".pdf")
	{
		header('Content-Type: application/pdf');
	}
	else
	{
		header('Content-Type: ' . $attachment['mimetype']);
	}
 
	if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
	{
		//header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
		if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
		{
			header('expires: -1');
		}
	}
	else
	{
		//header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}

christhatsme · Post by **christhatsme** » Wed Jun 13, 2007 7:11 am

it was written like that for a reason, I'm not sure if its entirely wise changing that...

Kellanved · Post by **Kellanved** » Wed Jun 13, 2007 7:56 am

Mårten Berglund wrote: Here comes the fix:

Congratulations. You have just introduced an persistent XSS vulnerability into your board.

Mårten Berglund · Post by **Mårten Berglund** » Wed Jun 13, 2007 2:20 pm

christhatsme wrote:it was written like that for a reason, I'm not sure if its entirely wise changing that...

I may not have done the fix in the best manner. Please tell me how to do it better, keeping security and still keeping the feature that pdf's and mp3's will open in the browser window.

Kellanved wrote:
Mårten Berglund wrote: Here comes the fix:
Congratulations. You have just introduced an persistent XSS vulnerability into your board.

Please tell me how to do it better if it's possible.

NB! My forum is an internal one, behind a .htaccess password, just accessible for a small group of people, so my forum's vulnerability is therefore not a big issue anymore, is it? It can't be that unusual that forums are internal. Therefore, phpBB3 should have a radio button option that by default disables this feature, but, with care, could be enabled by the forumadmin. Don't you think?

christhatsme · Post by **christhatsme** » Wed Jun 13, 2007 4:44 pm

There isn't a better way to do it or it would have been done..

If you trust those who do have access, its your choice.

Techie-Micheal · Post by **Techie-Micheal** » Wed Jun 13, 2007 5:45 pm

Mårten Berglund wrote:It can't be that unusual that forums are internal. Therefore, phpBB3 should have a radio button option that by default disables this feature, but, with care, could be enabled by the forumadmin. Don't you think?

The vast majority of boards are very much public, rather than private. If we were to go the majority route, the default would be the way they are right now. If we were to go the most secure route (don't let marketing talk fool you, you can never be 100% secure), it would be the way things are right now. If you feel the benefit outweighs the risk for you, feel free to go for it, but I don't think it wise for us to implement an on/off switch as people will probably get the "feature fever" and turn it on (as they do with HTML on phpBB2) without realizing its implications.

Instead, the concession is that if they wish, they can change the source code.

christhatsme · Post by **christhatsme** » Wed Jun 13, 2007 6:34 pm

htaccess is not actually always as secure as you may think...

Just because your forum is guarded by it, doesn't mean the guardsman might go wrong

Its very unlikely, but you never know

Techie-Micheal · Post by **Techie-Micheal** » Wed Jun 13, 2007 7:30 pm

It has happened before. Granted, it was an odd set of events, but if memory serves me correctly, someone was stating that someone was getting access to their private board that was behind .htaccess. So we looked at brute forcing the password (a possibility) but it turned out the testing board was public while the live board was behind closed doors, and with permissions not setup correctly, that only spelled disaster, as they shared the same database. I may have some things wrong, but I think that's how it happened. The point is, what you may think is private very well may not be.

Mårten Berglund · Post by **Mårten Berglund** » Fri Jun 15, 2007 8:31 pm

Thanks for all replies, and I understand the security issue here, and maybe it's best to have this option I propose ready only for those who would like to make changes in the source code, as I have done. Some final thoughts/questions then:

1) But still - and maybe this is not the right place to ask this - where lies a vulnerability in allowing pdf's and mp3's to be viewed directly in the browser? I thought pdf's and mp3's didn't have any executable code in it, contrary to Word documents.

2) It seems to be a contradiction also that windows media files and quicktime files can be played directly, when applying the corresponding special category to mp3/wma files.

3) Talking about quicktime, do you know anything about my problem that Firefox crashed when I tried to use the quicktime mode for file downloading?

Mårten Berglund · Post by **Mårten Berglund** » Fri Jun 15, 2007 8:33 pm

One more thing. I've noticed with the new handling of downloads in phpBB3, when saving, the file name becomes just as expected. That's a very good thing. With my hack, every file gets the name download.php when saving, and that's of course a drawback.

My new wish is therefore (also due to your comments) the following: When downloading a dialog comes up, asking you whether to save the file (with the correct file name) or open the file directly in the browser window (not preserving the file name, at least it doesn't seem possible).

Do you know any way to write the code to make this possible?

Xabi · Post by **Xabi** » Sat Jun 23, 2007 3:50 pm

I'm also interested in a possible (and secure) workaround for this...

christhatsme · Post by **christhatsme** » Sat Jun 23, 2007 8:45 pm

There isn't one other wise it would be in place.

advertisements