FileDownload 2.5
Last week it was discovered that the file download.php that was included with the FileDownload snippet could be exploited to download any file. After a qucik fix was released, I looked for a better way to increase the download security. After doing some searching on different methods of securing downloads, I decided it would be best just to use facilities provided by MODx.
Before diving in and writing my own solution I checked out the MODx repository and found a plugin created by Adam aka ONO that did exactly what I was looking for. The plugin takes the path from a template variable, so all the user ever sees is the name of the file they are downloading. Using this allows for increased security as the path is never disclosed and the plugin stops a hacker from moving up the path. So I spent some time going through the code and making sure it implemented all of the features already included with the FileDownload snippet. I added in the ability for the plugin to count downloads and use multiple folders. I then had to make a few tweaks to the FileDownload snippet to take into account the new way of processing downloads.
The FileDownload snippet will still function by itself. If using a plugin to pass the downloads is not necessary, the snippet will just display the link to the file and not use any download processor. I reccommend using the plugin though as it allows for many added features and security. The download counting only works if the plugin is used as well. So, follow the instuctions below to get up and running with the new FileDownload snippet/plugin.
Note: Due to the number of changes in the snippet code I advise reviewing all of the documentation and the parameters as some of them have been changed.Changes From Version 2.0
- Refactored to use Adam Strzeleckis (OnO) FileDownload plugin for more secure downloads. Get the plugin here: http://modxcms.com/FileDownloadPlugin-1191.html
- If the plugin is used the getFolder parameter is set by the template variable FileDownloadFolder and not the snippet call.
- No longer uses the download.php file as it created vulnerabilities in the MODx installation. Delete this file from your install.
- Snippet functions without download counting if you do not want to use the plugin.
- New parameter (&dateFormat) to format the date of the output. Use PHP's date formatting, to customize it.
For more information on FileDownload including parameters, examples, and change log information go here:
FileDownload Snippet Development Area
46
45
<a href="http://jxbobkry.com">qeqkilul</a> dwttzykl http://nklomzgp.com jqczpuoy jpjxygnt [URL=http://pcmibyol.com]eemklwlw[/URL]
44
When the gods wish to punish us, they answer our prayers.
43
Life is a great big canvas; throw all the paint on it you can.
42
The trouble with being poor is that it takes up all of your time.
41
What some people mistake for the high cost of living is really the cost of high living.
40
There is no end to the adventures that we can have if only we seek them with our eyes open.
39
Nothing changes your opinion of a friend so surely as success - yours or his.
38
In an industrial society which confuses work and productivity, the necessity of producing has always been an enemy of the desire to create.
37
The happiest is the person who suffers the least pain; the most miserable who enjoys the least pleasure.
Twitter Status
Flickr Photostream
MuddyDogPaws Feed
Follow me on Twitter
LinkedIn Profile
Flickr Photos
tqduyahi http://aqeyxfml.com aqjeuogw pstyuckc <a href="http://xvnmdmak.com">xjkkzfxv</a> [URL=http://lyrdkogu.com]terxavtr[/URL]