下载具有PHP内容分配的滥用:附件和readfile
我有一个下载滥用问题,即php内容分解:附件和读取文件。看来我的问题是在ReadFile上,因为尽管此脚本有效,但无论客户端是否关闭浏览器,ReadFile都会读取MP4的整个内容,并通过脚本来启动下载并立即关闭进度的脚本设置滥用的可能性。某个地方正在运行一个脚本,该脚本单击此链接每秒数百次,运行我的PHP脚本并立即取消其下载,但是我的服务器正在准备每次要卸载的整个文件。
这是我正在运行的脚本,当用户/虐待者单击下载链接时:
<?php
// get MP4 address
$MP4Address = $_GET["MP4Address"];
// We'll be outputting a MOV
header( 'Content-Type: application/octet-stream' );
$filename = basename($MP4Address);
// Name file
header('Content-Disposition: attachment; filename="'.$filename.'"');
// Source file
readfile($MP4Address);
?>
我怀疑ReadFile是这里的罪魁祸首,但是没有它,客户端将接收一个空文件。这样做必须有一种更现代,正确的方法,但是我不确定会是什么。
I'm having a download abuse issue with php Content-Disposition: attachment and readfile. It seems that my problem is with readfile, because although this script works, whether or not the client closes their browser, readfile reads the entire contents of the mp4, setting up the possibility of abuse with scripts initiating the download and immediately closing the progress. Something, somewhere, is running a script which clicks this link hundreds of times per second, running my php script and immediately cancelling their download, but my server is preparing that entire file to be offloaded each time.
Here's the script I'm running, when the user/abuser clicks a download link:
<?php
// get MP4 address
$MP4Address = $_GET["MP4Address"];
// We'll be outputting a MOV
header( 'Content-Type: application/octet-stream' );
$filename = basename($MP4Address);
// Name file
header('Content-Disposition: attachment; filename="'.$filename.'"');
// Source file
readfile($MP4Address);
?>
I suspect that readfile is the culprit here, but without it, the client will receive an empty file. There must be a more modern, proper way of doing this, but I'm not sure what it could be.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
除非您已经打电话给
ignore_user_abort(true)readfile()呼叫PHP就无法关注该信号,因为它正忙于进行低级IO。我会说您有2个选择,第一个是简单地编写一些代码来检测并阻止滥用您服务的人。您的下载已经得到PHP脚本的支持,因此添加一些检查和过滤应该相对简单。
另一个是用
readfile()用一些[公认的效率降低]代码来替换,该代码应为PHP提供一些呼吸空间以寻找用户中断。Unless you've called
ignore_user_abort(true)PHP should get the signal that the connection has been aborted and cease execution. But it's possible that once you're inside thereadfile()call PHP is not able to watch for that signal since it's busy doing low-level IO.I would say you've got 2 options, the first being to simply write some code to detect and block the person that's abusing your service. You downloads are already backed by a PHP script, so adding in a bit of checking and filtering should be relatively simple.
The other would be to replace the
readfile()call with a bit of [admittedly less efficient] code that should give PHP some breathing space to look for user aborts.