[Patch] Direct (php-less) attachment downloads

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.2.x. If you need support for phpBB 3.2.x please visit the 3.2.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
bolverk
I've been banned
Posts: 280
Joined: Mon Feb 02, 2009 5:39 pm

Re: [RFC|Accepted] Resuming for attachments / HTTP range sup

Post by bolverk »

FeyFre wrote:Wki is not a source of objective data.
I generally would agree with that as I know at one time a wikipedia entry for Albert Einstein served up a pornographic image. ;)
However, I am curious how many web-servers you "have touched" Do you have an actual number or estimate you are basing your conclusion on?
Is that number greater than two hundred and five million, seven hundred fourteen thousand, two hundred and fifty-three? If not I would have to say that I would trust Netcraft's statistics a little bit more than yours. :P

As the #2 most widely used web server platform, IIS (Microsoft) most definitely needs to be supported transparently in any phpBB implementation along with all *nix flavors. In other words, no feature or function of phpBB should work on *nix and not IIS and vice versa.

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [Patch] Direct (php-less) attachment downloads

Post by igorw »

Security needs to be strongly considered here. The whole point of download/file.php is to ensure secure downloads, mainly protecting against IE mime sniffing and plugin (flash's cross domain and java GIFAR) attacks. Additionally it can enforce MIME types and it prevents potential LFI by keeping file names secret. These things need to be kept in mind, serving files directly is a security risk.

An easy way out of most of these issues would be to use a completely different TLD to serve all of the files, which would allow serving files directly. (related: CDN)

A good post on the subject: http://stackoverflow.com/questions/6025 ... 904#602904
Last edited by igorw on Wed Aug 18, 2010 2:24 pm, edited 1 time in total.

shoeib
Registered User
Posts: 1
Joined: Fri Aug 06, 2010 6:43 pm

Re: [Patch] Direct (php-less) attachment downloads

Post by shoeib »

Hi and thanks for this first step towards direct link download in phpBB.

I have done the all the things that is written in the frist post. But when I click on a downlaod link in my forum it gives me a 403 forbidden access page!

What can be the problem?


Thnaks

User avatar
Meis2M
Registered User
Posts: 433
Joined: Fri Apr 23, 2010 10:18 am
Contact:

Re: [Patch] Direct (php-less) attachment downloads

Post by Meis2M »

any way to add an ability to multi upload attachments in topics or posts ?!

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [Patch] Direct (php-less) attachment downloads

Post by bantu »

Meis2M wrote:any way to add an ability to multi upload attachments in topics or posts ?!
What you want is neither related to this topic nor related to Resuming for attachments / HTTP range support.

Please create a new topic in 3.2 discussion or 3.2 RFC.


User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [Patch] Direct (php-less) attachment downloads

Post by bantu »

If you have a busy forum and want PHP to be less involved when it comes to attachment downloads, I'd suggest to use something like X-Accel-Redirect (nginx) or x-sendfile (lighttpd). Both options probably do not support http range requests (ability to resume downloads), but it should still be possible to handle those with PHP as in viewtopic.php?f=84&t=33120. Because of the potential risk of exposing the physical filename in case the webserver doesn't support X-Accel-Redirect / x-sendfile, you will have to manually enable X-Accel-Redirect / x-sendfile. See http://tracker.phpbb.com/browse/PHPBB3-9790

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [Patch] Direct (php-less) attachment downloads

Post by Oleg »

Is this an accepted RFC for 3.1?

This feels like a discussion topic with a patch attached. Perhaps it would be better off in the discussion forum, if it is undecided whether this feature would be (ever) implemented.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [Patch] Direct (php-less) attachment downloads

Post by bantu »

Moved.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [Patch] Direct (php-less) attachment downloads

Post by bantu »

bantu wrote:If you have a busy forum and want PHP to be less involved when it comes to attachment downloads, I'd suggest to use something like X-Accel-Redirect (nginx) or x-sendfile (lighttpd). Both options probably do not support http range requests (ability to resume downloads), but it should still be possible to handle those with PHP as in viewtopic.php?f=84&t=33120. Because of the potential risk of exposing the physical filename in case the webserver doesn't support X-Accel-Redirect / x-sendfile, you will have to manually enable X-Accel-Redirect / x-sendfile. See http://tracker.phpbb.com/browse/PHPBB3-9790
Feel free to give this a try. https://github.com/bantu/phpbb3/compare ... icket/9790

Post Reply