Tuckbros said:
instead of linking to the picture I linked to the php file containing
the following code :
$image_name = "../../sessions/" . session_id() . "/Avatar.jpg" ;
$save_name = "Avatar.jpg";
/* attachment disposition causes it to be treated like a download */
header("Content-Disposition: attachment; filename=$save_name");
readfile("$image_name");
where $save_name is the default name og the downloaded file and
$image_name is the name of the image to saved.
One thing I'm sure someone will mention (if they haven't already - I'm offline)
Be very sure that you're getting your filename from a trusted source, Ie:
$img = $_GET['IMG'];
readfile("/dir/" . $img); /* This is not safe */
Because some clown could come along and enter: IMG=../etc/passwd
Looks like your base is covered pretty well, unless Mr. clown comes along
and issues a bogus PHPSESSID. (or whatever your session variable is
configured as) even then, it'd be hard to get around the Avatar.jpg portion,
and I imagine their ability is limited by session variables which would likely
disappear if they tampered with it.
Using a regular expression or something to strip special characters or testing
from a list to ensure IMG is actually what you'd intended are some common
techniques.
I just wanted to mention it in this thread in case someone is googling
for the same problem. Looks like you took care of it, someone reading along
might not be aware of it. (it is an easy thing to miss)
Jamie