“secure” PPTX and WAV files in portal behaving incorrectly

144
July 05, 2018, at 02:40 AM

CONTEXT

I am building a portal that requires users to log in before viewing content. I've taken the following approach:

if logged in:

  • the user is presented with a list of links to the content (index.php)
  • the links are controlled by a simple jquery script (included in index.php) that uses the href to perform a GET request to the authorization page (auth.php)
  • the auth page performs additional checks, sets headers and mime type and handles the file request accordingly

Where possible, the goal is to display the file in the browser.

Also, direct access to the content (files) is restricted by a simple htaccess file (shown here for completeness, but is designed to handle the condition where user is NOT logged in).

THE PROBLEM

When a logged-in user clicks on a link in index.php I am getting various behaviors. I share these results so that you can see that the code "works" in most cases and it is the exceptions about which I need help. The site currently has seven different content types and their:

Table of outcomes
       CHROME                                FIREFOX
GROUP 1 - Non-Microsoft OK
pdf    in browser - OK                       in browser - OK
images in browser - OK                       in browser - OK
mp4    in browser - OK                       in browser - OK
GROUP 2 - Microsoft OK
xlsx   save as (explorer) - auth.xlsx        view/save pop up - OK
docx   save as (explorer) - auth.docx        view/save pop up - OK
GROUP 3 - NOT WORKING AS EXPECTED
wav    in browser - OK                       view/save pop up - auth
pptx   save as (explorer) - auth.pptx        view/save pop up - auth

As shown above, the application (i.e. code below) works fine for Groups 1 and 2 in Chrome and Firefox.

  • Group 1 - everything happens in the browser as expected.
  • Group 2 - Word and Excel files display the "view or save" dialog in Firefox and this dialog correctly shows the filename and default application. For Chrome, the "Save As" (Windows Explorer) box opens as expected (though it would be preferable if Chrome behaved as Firefox does). The default name to save is "auth" + the extension (eg xlsx or docx). This is not user friendly. Would prefer it be blank or a the original file name.

However, .pptx and .wav files do not behave as expected in Firefox. When the popup appears for these files, the displayed name in both cases is auth.php (and not the actual name of the file as happens when Excel or Word files are selected). PowerPoint is, however, correctly shown as the default app in the popup for .pptx files and the default app for .wav files is shown as TWINUI. In both cases, clicking "OK" in the popup opens the file in the correct application.

CODE

INDEX.PHP

<script src='../vendor/components/jquery/jquery.min.js'></script>   
<script>
$( function() {
    $('.link').on('click',function(e) {     
        e.preventDefault();
        var doc = $(this).attr('href'); 
        document.location = '/docs/'+doc;
    });
});
</script>
<html>
<body>  
    <section>
        <h2>List of links...</h2>
        <br><a class="link" href="test.pdf">PDF document</a>
        <br><a class="link" href="test.jpg">image</a>
        <br><a class="link" href="test.pptx">powerpoint</a>
        <br><a class="link" href="test.mp4">mp4</a>
        <br><a class="link" href="test.docx">word document</a>
        <br><a class="link" href="test.xlsx">Excel file</a>
        <br><a class="link" href="test.wav">wave file</a>
    </section>
</body>
</html>

AUTH.PHP

<?php
//code to check if logged in
//code to check if authorized to view file
//code to set content type
    $c_type = '';
    switch ($ext) {
        case 'jpg':
        case 'jpeg':
        case 'jpe':
            $c_type = 'Content-Type: image/jpeg';
            break;
        case 'png':
            $c_type = 'Content-Type: image/png';
            break;
        case 'pdf':
            $c_type = 'Content-Type: application/pdf';
            break;
        case 'pptx':
            $c_type = 'Content-Type: application/vnd.openxmlformats-officedocument.presentationml.presentation';
            break;
        case 'xlsx':
            $c_type = 'Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet';
            break;
        case 'docx':
            $c_type = 'Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document';
            break;
        case 'mp4':
            $c_type = 'Content-Type: video/mp4';
            break;
        case 'wav':
            $c_type = 'Content-Type: audio/x-wav';
            break;
        default:
            echo '<br> content-type not recognized';
            exit();
            break;

$pathtofile = {set to location of document}
//code to set headers
    //set headers
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");   
    header($c_type);
    header('Content-Length: '.filesize($pathtofile));
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header('Cache-Control: max-age=0');
    header("Pragma: no-cache"); 
//readfile
    readfile($pathtofile);
    exit();
?>  

.htaccess

Options -Indexes +FollowSymLinks -MultiViews
RewriteEngine on 
# If the requested filename ends in a prohibited direct access file extension...
RewriteCond %{REQUEST_FILENAME} .*\.(jpeg|jpg|png|pdf|pptx|ppt|mp4|doc|docx|xlsx|xls|wav) [NC]  
# Then grab the requested URL from the current directory on and stuff in in the $1 variable (first () pair maps to $1)
# Append the $1 variable as part of the query string when processing auth.php
RewriteRule (.*) http://[ROOT]/auth?doc=$1 [NC,L]

QUESTIONS

Is there a way that I can get the popup in Firefox to appropriately display the name of the file (instead of auth.php) for pptx and wav files?

Is there a way to get Chrome to view MS Office files (pptx, excel and docx) in browser by default (like you can do with gmail attachments) and use the native download, print, enlarge, UI (like gmail attachments)?

If there's no way to modify the way Chrome handles the opening of a Microsoft file, then is there a way I can change the default filename to save to something other than "auth"?

Rent Charter Buses Company
READ ALSO
PHP sessions set on another server

PHP sessions set on another server

I am trying to understand sessions in phpAs far as I understand in a basic login system the sessions work like this: On a page exampledomain

157
Nginx + PHP7-FPM Content-Type empty $FILES

Nginx + PHP7-FPM Content-Type empty $FILES

When I try to send files using PostMan and the Content-Type header is set the $FILES array is completely empty

195
How to debug/handle apache2 memory spikes/crashes

How to debug/handle apache2 memory spikes/crashes

We have a digital ocean droplet running a low traffic siteAnd lately we have been experiencing downtimes due to spikes on memory caused by apache

145
Converting php code to python3 for flask [on hold]

Converting php code to python3 for flask [on hold]

I don't know php and I saw a code here Which is written in php, the code promises to give the actual IP address Of the clientsCan someone do this in python or maybe better?

147