Protect Downloads

r3b3lxd has asked for the wisdom of the Perl Monks concerning the following question:

I am developing a web-based file storage utility and I've come up against a problem. For security the files are stored outside the web-server root but this poses a problem when the user wants to download a file.
The obvious way would be to temporarily move the file to be downloaded so it was accessible from the web and link to it. But this would cause security risks from others being able to download the file also.
I worked out a solution in which the script opens up the file and then prints it out with the correct Content-type header causing a download box to open but this has several drawbacks:
1) The filename of the script (e.g. download.pl) is used instead of the actual filename
2) If the MIME type is recognised e.g. image/gif then the browser will display the file instead of opening a box to download it.

Any help would be much appreciated. Thanks in advance.

Rob

Comment on Protect Downloads

Replies are listed 'Best First'.
Re: Protect Downloads by tachyon (Chancellor) on Aug 07, 2001 at 23:09 UTC
You will find the answers you need here Downloading things from a database. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]
Re: Protect Downloads by arturo (Vicar) on Aug 07, 2001 at 23:05 UTC
Chances are your webserver provides Basic Authentication, or better yet Digest authentication (chances are your user's browsers don't, unless they're using IE 5+ or are Mozilla/Konqueror-lovin' geeks). If you protect access to those directories (using .htacces w/Apache or whatever your webserver's equivalent is), you can simply put the files underneath the webserver's document root and make sure only those who know the password get to see them. Without more information, I can't say much more along these lines that will help you. HTH `perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); +$rose = "smells sweet to degree $n"; other_name = rose; print "$oth +er_name\n"'` [download]	[reply] [d/l]
Re: Protect Downloads by suaveant (Parson) on Aug 07, 2001 at 23:17 UTC
ok... the easy way, make your script called dnld or something, then pass the file in on $ENV{PATH_INFO} so your script call looks like /cgi-bin/dnld/foo.exe and that is an easy way to handle the filename (otherwise you need content-disposition headers...) you will NEVER get msie to force a gif or jpg or whatever download MSIE blatantly ignores you... tell them to rigt click and do save as... Netscape will do it if you set the Content-type: application/octet-stream - Ant - Some of my best work - Fish Dinner	[reply]
Re: Protect Downloads by Chady (Priest) on Aug 08, 2001 at 17:28 UTC
As far as question 2, this is a problem with the web browser, and little you can do about it. but for question 1, here's what you can do: `# print your content type... print "Content-Disposition: filename=blah.zip\n"; # print the contents of the file...` [download] He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life. Chady \| http://chady.net/	[reply] [d/l]