Private File Exotic Bugs and Workarounds

Submitted by kwinters on Sat, 2009-08-15 14:37

The kind of file transfer headers needed by private files are absurdly difficult to get right, and in some cases at least the default Drupal setup won't cut it.

Some special cases:

IE6 caching workaround is different for HTTPS and HTTP - it appears that pages use the right headers, not sure about private files
Flash player 10 will no longer load external flash movies if they are set as attachment.

Our current projects don't have any use for private files so it would be hard for me to either patch core or create a contrib module for this purpose. However, I'm sure someone's going to run into this problem at some point (flash in particular), so here's a code snippet from our own CMS to get someone else started on a fix:

<?php
if ($fileResult["CTFile_type"] != "text/html")
{
 header('Content-type: '.$fileResult["CTFile_type"]);
   if(!stristr($fileResult["CTFile_type"],"image") && !stristr($fileResult["CTFile_type"],"/xml"))
    {
      /**
         * Changed for task 7799.  Flash player 10 will no longer load external flash movies if they are set as attachment. 
        * http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_chan...
       */
        if (substr($filename,-4) != ".swf" && !stristr($fileResult["CTFile_type"],"shockwave-f"))
        {
          header('Content-Disposition: attachment; filename="'.$filename.'"');
     }
      if ($_SERVER["HTTP_SSL_CIPHER"] != "")
     {
          //avoids an IE bug involving caching non-web files over https
          header("Cache-Control: max-age=0");
          header("Pragma: public");
        }
      else
       {
          //this line avoids an IE bug in handling non-web files
         header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
     }
      readfile($_SESSION["DISTRO"]["DATADIR"].$fileResult["CTFile_diskname"]);
 }
  else
   {
      print file_get_contents($_SESSION["DISTRO"]["DATADIR"].$fileResult["CTFile_diskname"]);
  }
}
else
{
 header("OK",true,200);
   print file_get_contents($_SESSION["DISTRO"]["DATADIR"].$fileResult["CTFile_diskname"]);
}
?>

The above could use some cleanup, naturally, but it's the headers and conditions that are likely to be useful.

Groups:

File API

Groups.drupal.org is a part of the drupal.org group of sites. Logging in on this site requires an account on the main drupal.org site. If you do not have an account on drupal.org, you will need to create one, log in over there, and then come back here where you should automatically be logged in.

Thanks!

File API

You must login in order to post into this group.

File API

New groups

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

All posts: Feed · Page