| Re: Why and wherefore file downloads [message #176678 is a reply to message #176654] |
Tue, 17 January 2012 01:01   |
Harry Putnam
Messages: 2
Registered: January 2012
Karma:
|
Junior Member |
|
|
"M. Strobel" <sorry_no_mail_here(at)nowhere(dot)dee> writes:
> Am 14.01.2012 19:43, schrieb Harry Putnam:
> ---cut
>> ------- --------- ---=--- --------- --------
>> From_mohitsharma.net.php
>>
>> php
>>
>> <?php
>> // The file path where the file exists
>> $filepath = "**HERE**".$_GET['filename']."";
> ---cut
>
>> @readfile($filepath);
>> ?>
> --------------cut
>
>> ------- 8< snip ---------- 8< snip ---------- 8<snip -------
>> #!/usr/bin/perl
>>
>> use strict;
>> use warnings;
>> use diagnostics;
>>
>> my ($frdir,$reg, @files, $php);
>> $php = './Frommohitsharma.net.php';
>
> your perl calls Frommohitsharma.net.php, but you print From_mohitsharma.net.php.
>
> You are calling a different script.
No, that is something added when I wrote this message, It was to
indicate the php script and typed wrong inadvertently, not a typo
exactly, more like a memory lapse.
But it would have no bearing on what gets called.
The script being called is whatever is in the variable $php and there
is only one such script available.
> This is the only explanation because the parameter filepath is used unchanged in the
> readfile() function and it should not work if you change it.
That is the odd part. Even if I do change it so that it doesn't really
point to the files, it still works.
For example, I just tried this:
$filepath = "".$_GET['filename'].""; # no path listed at all.
Yet I am still shown an mp3 to play or download.
And this:
$filepath = "/not".$_GET['filename'].""; ## wrong non-existent path
## listed
At first I thought it might be because the mp3s where in the same dir
as the php script. So I changed that just to find out.
The 1 lonesome mp3 has been moved to /test
I don't have root on the server but can control my little bit of it.
PS - do you mind explaining a bit in an off-group (via email) message,
what you mean by the bit about insecure?
Note: I do not munge my email address ... its real.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]