Code: Select all
// Content-type based on the Request
if (!$headers->has('Content-Type')) {
$format = $request->getRequestFormat();
if (null !== $format && $mimeType = $request->getMimeType($format)) {
$headers->set('Content-Type', $mimeType);
}
}
// Fix Content-Type
$charset = $this->charset ?: 'UTF-8';
if (!$headers->has('Content-Type')) {
$headers->set('Content-Type', 'text/html; charset='.$charset);
} elseif (0 === stripos($headers->get('Content-Type'), 'text/') && false === stripos($headers->get('Content-Type'), 'charset')) {
// add the charset
$headers->set('Content-Type', $headers->get('Content-Type').'; charset='.$charset);
}
Code: Select all
<video controls name="media" width="320" height="285">
<source src="./3_5458180c7eddb48b876e9fe3e05fd825.mp4" type="video/mp4">
</video>
Code: Select all
<!-- This works on Windows Chrome and Firefox, but not on iPod Safari -->
<video controls name="media"width="320" height="285">
<source src="http://www.59plymouth.net/59test/download/file.php?id=7461" type="video/mp4">
</video>
'Content-type' => 'application/xml',
I will want to set the content type to 'audio/mp3'
, 'video/mp4'
, or whatever the appropriate mime type is for the object that is being requested. At the time core.page_header_after
fires, is there a data structure containing the associated mime type, loaded from the database for the object being requested?core.page_header_after
event isn't triggered.send_file_to_browser()
in /includes/functions_download.php
which sets the content type header for attachment downloads:Code: Select all
// Correct the mime type - we force application/octetstream for all files, except images
// Please do not change this, it is a security precaution
if ($category != ATTACHMENT_CATEGORY_IMAGE || strpos($attachment['mimetype'], 'image') !== 0)
{
$attachment['mimetype'] = (strpos(strtolower($user->browser), 'msie') !== false || strpos(strtolower($user->browser), 'opera') !== false) ? 'application/octetstream' : 'application/octet-stream';
}
// (a few lines later)
header('Content-Type: ' . $attachment['mimetype']);
I'm not? Here's a page that presents an mp4 for playback. I can request the mp4 object and play it on my Windows desktop, even though the Content-Type is "application/octet-stream" - because all my desktop browsers (IE11, Chrome, Firefox) examine the stream and recognize it as an mp4. But not iOS browsers (Safari, Chrome).kasimi wrote:You're not making a request to a phpBB page and thus thecore.page_header_after
event isn't triggered.
It wouldn't, as you're expecting the video file to be sent to the client when requestingshortmort37 wrote:So, wouldn't that event fire when the mp4 on the page is requested?
/download/file.php?id=7461
and not HTML content. In file.php
there's no call to page_header()
, which would set up common template variables and trigger the core.page_header_after
event, among other things.ATTACHMENT_CATEGORY_HTML5
to constants.php
as part of the change to enable native html5 browser capability to play audio/video. It looks like I ought to be able to add that category to functions_download.php
, and thus not force an overwrite of the mimetype in the header response. But, I'm wondering what the vulnerability is that is referenced here in functions_download.php
:Code: Select all
// Correct the mime type - we force application/octetstream for all files, except images
// Please do not change this, it is a security precaution
Because one could also alter to include HTTP headers from un-realiable sources (even inject into the page something that was not requested). You should be able to set your own headers from within your event if I understand symphony enough which may not be the case.shortmort37 wrote:Code: Select all
// Correct the mime type - we force application/octetstream for all files, except images // Please do not change this, it is a security precaution
Code: Select all
HTTP/1.1 200 OK
Date: Mon, 22 Aug 2016 01:07:08 GMT
Server: Apache
X-Powered-By: PHP/5.6.24
Cache-Control: public
Content-Disposition: attachment; filename=4.mp4
Last-Modified: Sat, 13 Aug 2016 18:49:44 GMT
Content-Length: 3079192
Keep-Alive: timeout=3, max=97
Connection: Keep-Alive
Content-Type: video/mp4
Code: Select all
HTTP/1.1 206 Partial Content
Date: Mon, 22 Aug 2016 01:13:40 GMT
Server: Apache
Last-Modified: Sat, 13 Aug 2016 18:44:57 GMT
Accept-Ranges: bytes
Content-Length: 2
Content-Range: bytes 0-1/3079192
Keep-Alive: timeout=3, max=99
Connection: Keep-Alive
Content-Type: video/mp4
HTTP/1.1 206 Partial Content
Date: Mon, 22 Aug 2016 01:13:40 GMT
Server: Apache
Last-Modified: Sat, 13 Aug 2016 18:44:57 GMT
Accept-Ranges: bytes
Content-Length: 3079192
Content-Range: bytes 0-3079191/3079192
Keep-Alive: timeout=3, max=98
Connection: Keep-Alive
Content-Type: video/mp4
HTTP/1.1 206 Partial Content
Date: Mon, 22 Aug 2016 01:13:41 GMT
Server: Apache
Last-Modified: Sat, 13 Aug 2016 18:44:57 GMT
Accept-Ranges: bytes
Content-Length: 23576
Content-Range: bytes 3055616-3079191/3079192
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: video/mp4
HTTP/1.1 206 Partial Content
Date: Mon, 22 Aug 2016 01:13:41 GMT
Server: Apache
Last-Modified: Sat, 13 Aug 2016 18:44:57 GMT
Accept-Ranges: bytes
Content-Length: 7192
Content-Range: bytes 3072000-3079191/3079192
Keep-Alive: timeout=3, max=99
Connection: Keep-Alive
Content-Type: video/mp4
HTTP/1.1 206 Partial Content
Date: Mon, 22 Aug 2016 01:13:41 GMT
Server: Apache
Last-Modified: Sat, 13 Aug 2016 18:44:57 GMT
Accept-Ranges: bytes
Content-Length: 1904
Content-Range: bytes 3070096-3071999/3079192
Keep-Alive: timeout=3, max=98
Connection: Keep-Alive
Content-Type: video/mp4