I’m trying to create a secure download plugin.
I found the rest api the best option for this task, but i cant change headers like Content-Type:. In the register_rest_route callback these headers already set.
If i set Content-disposition: attachment, filename=asd.txt i get ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION in chrome.
I know rest is not meant to handle these tasks, but i couldn’t find any alternatives. If there is, pls tell me about it.
The data downloaded seems like it’s json encoded.
I’m sick of wordpress “magic”. These tasks would be so easy using plain PHP but wordpress just makes it complicated.
Please someone tell me how to disable these magic headers *** or recommend me a way for secured (php) downloads in my plugin.
(No, i don’t want to use third party plugins. I’ve tried many of them. None of them worked so far… 😀 These whole wordpress thing is a huge step backwards after symfony…)
Here is my experimental code:
add_action('rest_api_init', function() {
register_rest_route('secure-downloads/v1', '/download/(?P<filename>.*)',
array(
'methods' => 'GET',
'callback' => 'secure_downloads_handle_download'
));
});
function secure_downloads_handle_download(WP_REST_Request $request)
{
$filename = urldecode($request->offsetGet('filename'));
if(strpos($filename, '/..'))
{
return new WP_REST_Response('', 403);
}
$path = SECURE_DOWNLOADS_UPLOAD_DIR . $filename;
return new WP_REST_Response(file_get_contents($path), 200, array(
'Content-Type' => 'application/octet-stream',
'Content-Transfer-Encoding' => 'Binary',
'Content-disposition' => 'attachment, filename=\\' . $filename . '\\'
));
}
3 Answers
It should be enough to add the content disposition field.
But specifically it’s Content-Disposition not Content-disposition
I would also add some validation to your filename parameter thats being passed to file_get_contents to ensure it exists and it’s valid. Else you might be vulnerable to directory traversal attacks or remote URL requests