The download permission system of hirvine.com is one of the reasons to literay ’spam’ my inbox. The worst is the bug exists. About nearly a year ago it occured and finally I located the bug. Well, ok I did not intensively searched for it. I thought it was a Internet Explorer thingy since Firefox/Safari and Opera users didn’t had much bug reports.
Thanks to Borf, who is also the producer of the MORPG Sagramore game, I could fix the bug. Oh yes! It’s MORPG, since it’s not a Mass Multiplayer Online Role Playing Game. You oughta browse Borf’s site. The game is free2play and you do NOT need to install anything!). Full credits to Borf for the download permission system fix. Webpages, programs, games Borf is always there. This fix will be upped during the next weekend. Do only continue reading if you want to know more techincal details of the bug.
* The image above is Nia from Tengen Lagan Gamen Gurren. I will write a short review about this someday.
The next text is only interesting if you are curious about the bug.
What is the Download Permission System?
At first, if you do not know, the Download Permission System makes sure an IP is restricted by dowbloading X files at once. These are named ’slots’ or ‘download slots’. At the moment everyone has NO speed restriction but is limited by 3 dowload slots.
What is the bug?
Download file 1, 2, 3 .. 4 fails even when the files 1,2 and 3 are finished. The download slots isn’t rarely, for me seeming randomly, cleared. Depressive people starts mailing me they cannot start new downloads and I have to lookup and remove the download slots from the database manually. It eats time and should not happen.
So what is the bug?
Simple, I’m feel really stupid I just found out. All files are served by a php file, which script did run out of execution time and the security controller closes the script. However it did not close within downloading because of the ‘keep-alive’ headers sent. The more I cannot give, because of security issues, sry.
The fix?
A few lines need to be modified. Mainly the function set_time_limit() will be invoked.
A warning for developpers
Browsing around the web I did find people making their own download system as I do. However sometimes they are really, really hackable.
<PHP Code>
session_start();) die();
if (!$_SESSION['isLogIn']
$file = isset($_GET['file'])? $_GET['file']:'';
if ('' === $file) exit(); // Or whatever, not important
header('Content-type:Â application/pdf'); // mime type here, I dunno, not important now
header('Content-Disposition:Â attachment;Â filename=basename( $file));
readfile($file);
This isn’t a good script!
- Session will block the site, because the session cannot be read while it’s open.
Use session_write_close(). - $file could be anything fellows. We can just sign ‘/etc/bin/conf’ … or ‘/.htaccess’
Please do verify wether the you want to have ‘../’ and ‘/’. DO limit them if you need to.
At best, print an constant variable in front, which should make sure the directory isn’t hacked. - Ofcourse this file will be cached without setting a few cache headers.
- Also, probably accepting the rawfile as paramter isn’t very safe. Preferable an ID or a Slug.
>> fix added at Sun, 26 Oct 2008, props Borf
