Open pdf and mp3 attachment without save dialog

[stephenhart]

I'm wondering if anything has happened with this topic since the last posts.

I'm using phpBB 3, latest release as of this date.

My interest is in audio files, not pdf, but I'd like the user to be able to play the audio in place in the forum without downloading.

I understand the security concerns, but I'm not sure why an audio file would be any less secure than an image file. Either could, theoretically, be malignantly crafted to do harm, no?

So if in Posting > Manage Extension Groups, I set QuickTime files to Special Category None, only download is functional in the message.
If in Posting > Manage Extension Groups, I set QuickTime files to Special Category QuickTime media files, then a second link shows up in a post that reads "Play QuickTime," but it does nothing.

Can I get that link to work?

[tuna]

Just adding to the list of folks who would like to enable viewing inline PDF files. In my case, it is for an intranet site with very few users, so the XSS consideration is not as critical as if it was a public forum.

[Mårten Berglund]

I've made an update, taking care of some problems with filenames being destroyed when downloading, and so forth. It's working fine for me in phpBB 3.0.RC1, using it on an intranet. See code below.

So if in Posting > Manage Extension Groups, I set QuickTime files to Special Category None, only download is functional in the message.
If in Posting > Manage Extension Groups, I set QuickTime files to Special Category QuickTime media files, then a second link shows up in a post that reads "Play QuickTime," but it does nothing.

I can't remember clearly, but I think I didn't use any special category settings in the Manage extension groups section in the adminpanel. I think I just left it as is. But using the below code, solved the most issues.

Code: Select all

#
#--[ FIND (in download.php, in function send_file_to_browser) ]--
#
   // Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
   header('Content-Type: ' . $attachment['mimetype']);

   if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
   {
      header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
      if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
      {
         header('expires: -1');
      }
   }
   else
   {
      header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
   }

#
#-----[ REPLACE WITH ]------------------------------------------
#
	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
	if (strtolower(substr($attachment['real_filename'], -4)) == ".mp3")
	{
		header('Content-Type: audio/mpeg');
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'inline') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}
	else
	if (strtolower(substr($attachment['real_filename'], -4)) == ".wma")
	{
		header('Content-Type: audio/x-ms-wma');
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'inline') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}
	else
	if (strtolower(substr($attachment['real_filename'], -4)) == ".pdf")
	{
		header('Content-Type: application/pdf');
		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'inline') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
	}
	else
	{
		header('Content-Type: ' . $attachment['mimetype']);
		if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie') !== false))
		{
			header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
			if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
			{
				header('expires: -1');
			}
		}
		else
		{
			header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'])));
		}
	}

[Eelke]

phpBB 3.0.RC1

You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.

[Kellanved]

The problem is that pdf are a security problem; your code would open up a XSS issue. Maybe fine for an intranet, but impossible for the majority of users.

[Acyd Burn]

Of course it is possible to send the mime type for some types... not based on the extension of course, but phpBB3 stores the mime type.

[Mårten Berglund]

phpBB 3.0.RC1

You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.

Well, not extremely old, but old... It's a too big project to install the latest version for me, since I have done so many patches which will be overwritten. And the RC1 works fine for us.

Which of my issues have been addressed? I thought the XSS thing was in the way to do any similar changes to the official version of phpBB3.

[lurttinen]

phpBB 3.0.RC1

You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.

Well, not extremely old, but old... It's a too big project to install the latest version for me, since I have done so many patches which will be overwritten. And the RC1 works fine for us.

Which of my issues have been addressed? I thought the XSS thing was in the way to do any similar changes to the official version of phpBB3.

So, you are many security fixes behind?
I just hope no hacker or script kid will find your forum. Updates are not released for fun. They serve a purpose.
if nothing else, they fix problems.
From RC1 -> current, there are security fixes also.

Please take a note that this forum supports only the latest versions of phpBB.
If your forum gets compromised just because you thought you don't want to update, well... Don't blame us.
We had given you the fix but you choose to ignore it.

As per the devs, i don't have to quote them.

[Mårten Berglund]

phpBB 3.0.RC1

You do realize this is an extremely old version, right? Since you're on an Intranet, security is a little bit less of a concern (but by no means a non-issue), but there are also many other bug fixes. For all you know, your issue has been addressed in the latest release.

Well, not extremely old, but old... It's a too big project to install the latest version for me, since I have done so many patches which will be overwritten. And the RC1 works fine for us.

Which of my issues have been addressed? I thought the XSS thing was in the way to do any similar changes to the official version of phpBB3.

So, you are many security fixes behind?
I just hope no hacker or script kid will find your forum. Updates are not released for fun. They serve a purpose.
if nothing else, they fix problems.
From RC1 -> current, there are security fixes also.

Please take a note that this forum supports only the latest versions of phpBB.
If your forum gets compromised just because you thought you don't want to update, well... Don't blame us.
We had given you the fix but you choose to ignore it.

As per the devs, i don't have to quote them.

I thought I made clear that my forum is not out on the Internet. It's behind htaccess walls. I promise, I won't blame you...

Anyway, you're doing a great job developing this forumware for free - it's amazing really!

[lurttinen]

Yes, i have access to my corporate network. I have phoned to my co-workers and just ask their password. They gave it without even thinking about if i really even worked for the company.

You know, the usual. They are on a vacation and their email has some vital information about the project we work with. We need to get that information or our boss will be pissed.

I would not trust the intranet users anymore than i trust the internet.
I'm no security specialist or anything, but i know we spend a lot of time to protect our networks from threats coming outside. Forgetting the threats that could come within.

[ToonArmy]

As previously mentioned we do not support outdated installations, certainly not ones this outdated. You seriously might want to consider reading the change log its pretty huge. I took the liberty of generating a few statistics, from 3.0.RC1 to 3.0.3-dev there have been 466 bug fixes, 28 security fixes, 62 functionality changes and 41 feature additions. .htaccess protection is how shall we put it, hardly secure. If your forum was on a network that is in no way connected to the internet you might be able to sleep a little easier, but not if it is on a server with internet connectivity with simple HTTP authentication protecting it. For these reasons I am going to go ahead and close this topic.