Open pdf and mp3 attachment without save dialog

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
stephenhart
Registered User
Posts: 10
Joined: Sat Mar 22, 2008 6:09 pm

Re: Open pdf and mp3 attachment without save dialog

Post by stephenhart »

I'm wondering if anything has happened with this topic since the last posts.

I'm using phpBB 3, latest release as of this date.

My interest is in audio files, not pdf, but I'd like the user to be able to play the audio in place in the forum without downloading.

I understand the security concerns, but I'm not sure why an audio file would be any less secure than an image file. Either could, theoretically, be malignantly crafted to do harm, no?

So if in Posting > Manage Extension Groups, I set QuickTime files to Special Category None, only download is functional in the message.
If in Posting > Manage Extension Groups, I set QuickTime files to Special Category QuickTime media files, then a second link shows up in a post that reads "Play QuickTime," but it does nothing.

Can I get that link to work?
tuna
Registered User
Posts: 12
Joined: Fri Jun 27, 2003 11:22 pm
Location: Vancouver, BC, Canada
Contact:

Re: Open pdf and mp3 attachment without save dialog

Post by tuna »

Just adding to the list of folks who would like to enable viewing inline PDF files. In my case, it is for an intranet site with very few users, so the XSS consideration is not as critical as if it was a public forum.
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Re: Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

I've made an update, taking care of some problems with filenames being destroyed when downloading, and so forth. It's working fine for me in phpBB 3.0.RC1, using it on an intranet. See code below.
stephenhart wrote:So if in Posting > Manage Extension Groups, I set QuickTime files to Special Category None, only download is functional in the message.
If in Posting > Manage Extension Groups, I set QuickTime files to Special Category QuickTime media files, then a second link shows up in a post that reads "Play QuickTime," but it does nothing.
I can't remember clearly, but I think I didn't use any special category settings in the Manage extension groups section in the adminpanel. I think I just left it as is. But using the below code, solved the most issues.

Code: Select all

#
#--[ FIND (in download.php, in function send_file_to_browser) ]--
#
   // Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
   header('Content-Type: ' . $attachment['mimetype']);

   if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
   {
      header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
      if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
      {
         header('expires: -1');
      }
   }
   else
   {
      header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
   }

#
#-----[ REPLACE WITH ]------------------------------------------
#
	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
	if (strtolower(substr($attachment['real_filename'], -4)) == ".mp3")
	{
		header('Content-Type: audio/mpeg');
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'inline') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}
	else
	if (strtolower(substr($attachment['real_filename'], -4)) == ".wma")
	{
		header('Content-Type: audio/x-ms-wma');
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'inline') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}
	else
	if (strtolower(substr($attachment['real_filename'], -4)) == ".pdf")
	{
		header('Content-Type: application/pdf');
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'inline') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}
	else
	{
		header('Content-Type: ' . $attachment['mimetype']);
		if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
		{
			header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
			if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
			{
				header('expires: -1');
			}
		}
		else
		{
			header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
		}
	}
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Open pdf and mp3 attachment without save dialog

Post by Eelke »

Mårten Berglund wrote:phpBB 3.0.RC1
You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.
User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: Open pdf and mp3 attachment without save dialog

Post by Kellanved »

The problem is that pdf are a security problem; your code would open up a XSS issue. Maybe fine for an intranet, but impossible for the majority of users. ;)
Nocando is in Idontwanna county. No support via PM
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: Open pdf and mp3 attachment without save dialog

Post by Acyd Burn »

Of course it is possible to send the mime type for some types... not based on the extension of course, but phpBB3 stores the mime type.
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Re: Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

Eelke wrote:
Mårten Berglund wrote:phpBB 3.0.RC1
You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.
Well, not extremely old, but old... It's a too big project to install the latest version for me, since I have done so many patches which will be overwritten. And the RC1 works fine for us.

Which of my issues have been addressed? I thought the XSS thing was in the way to do any similar changes to the official version of phpBB3.
User avatar
lurttinen
Translator
Posts: 4670
Joined: Tue Sep 21, 2004 12:05 pm

Re: Open pdf and mp3 attachment without save dialog

Post by lurttinen »

Mårten Berglund wrote:
Eelke wrote:
Mårten Berglund wrote:phpBB 3.0.RC1
You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.
Well, not extremely old, but old... It's a too big project to install the latest version for me, since I have done so many patches which will be overwritten. And the RC1 works fine for us.

Which of my issues have been addressed? I thought the XSS thing was in the way to do any similar changes to the official version of phpBB3.
So, you are many security fixes behind?
I just hope no hacker or script kid will find your forum. Updates are not released for fun. They serve a purpose.
if nothing else, they fix problems.
From RC1 -> current, there are security fixes also.

Please take a note that this forum supports only the latest versions of phpBB. :)
If your forum gets compromised just because you thought you don't want to update, well... Don't blame us. :P
We had given you the fix but you choose to ignore it. ;)

As per the devs, i don't have to quote them.
Signature is here
Mårten Berglund
Registered User
Posts: 17
Joined: Wed Feb 14, 2007 12:26 am

Re: Open pdf and mp3 attachment without save dialog

Post by Mårten Berglund »

lurttinen wrote:
Mårten Berglund wrote:
Eelke wrote:
Mårten Berglund wrote:phpBB 3.0.RC1
You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.
Well, not extremely old, but old... It's a too big project to install the latest version for me, since I have done so many patches which will be overwritten. And the RC1 works fine for us.

Which of my issues have been addressed? I thought the XSS thing was in the way to do any similar changes to the official version of phpBB3.
So, you are many security fixes behind?
I just hope no hacker or script kid will find your forum. Updates are not released for fun. They serve a purpose.
if nothing else, they fix problems.
From RC1 -> current, there are security fixes also.

Please take a note that this forum supports only the latest versions of phpBB. :)
If your forum gets compromised just because you thought you don't want to update, well... Don't blame us. :P
We had given you the fix but you choose to ignore it. ;)

As per the devs, i don't have to quote them.
I thought I made clear that my forum is not out on the Internet. It's behind htaccess walls. I promise, I won't blame you... ;)

Anyway, you're doing a great job developing this forumware for free - it's amazing really! :P
User avatar
lurttinen
Translator
Posts: 4670
Joined: Tue Sep 21, 2004 12:05 pm

Re: Open pdf and mp3 attachment without save dialog

Post by lurttinen »

Yes, i have access to my corporate network. I have phoned to my co-workers and just ask their password. They gave it without even thinking about if i really even worked for the company. ;)

You know, the usual. They are on a vacation and their email has some vital information about the project we work with. We need to get that information or our boss will be pissed.

I would not trust the intranet users anymore than i trust the internet. :P
I'm no security specialist or anything, but i know we spend a lot of time to protect our networks from threats coming outside. Forgetting the threats that could come within.
Signature is here
ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Open pdf and mp3 attachment without save dialog

Post by ToonArmy »

As previously mentioned we do not support outdated installations, certainly not ones this outdated. You seriously might want to consider reading the change log its pretty huge. I took the liberty of generating a few statistics, from 3.0.RC1 to 3.0.3-dev there have been 466 bug fixes, 28 security fixes, 62 functionality changes and 41 feature additions. .htaccess protection is how shall we put it, hardly secure. If your forum was on a network that is in no way connected to the internet you might be able to sleep a little easier, but not if it is on a server with internet connectivity with simple HTTP authentication protecting it. For these reasons I am going to go ahead and close this topic.
Chris SmithGitHub
Locked

Return to “phpBB Discussion”