CODEWITHSUNDEEP
exceptioncoldfusioncoldfusion-9
Ofeargall
Ofeargall

Reputation: 5670

Catching errors on ColdFusion 9 forced download page

I'm creating an application for our office that allows authenticated users in the office to upload files for clients, creates a list of links to download the files and emails the client with the list of links.

When a user in the office logs in they're assigned a UUID in their session scope. That UUID becomes the directory name that the uploaded files are stored in.

Occasionally I'll need to clear out old files and delete the directories, but when that happens there's a chance a client may try to re-download a file from an old link.

In ColdFusion 9 how would I catch this and send them to an error page? I'm also hoping to use similar code to redirect a user once the download starts so they're not just sitting on a blank page during the download process.

Here's my force download page that takes a folder name variable and a filename variable to serve up the files.

<cfset folder = #URL.folder#>
<cfset FileDownload = #URL.file#>

<cfset exten = ListLast(FileDownload, ".")>

<cfswitch expression="#exten#">
<cfcase value="zip"><cfset content_type = "application/zip, application/x-zip, application/x-zip-compressed, application/octet-stream, application/x-compress, application/x-compressed, multipart/x-zip"></cfcase>
<cfcase value="ai"><cfset content_type = "application/illustrator"></cfcase>
<cfcase value="eps"><cfset content_type = "application/illustrator, application/octect-stream"></cfcase>
<cfcase value="pdf"><cfset content_type = "application/pdf, application/x-pdf, application/acrobat, applications/vnd.pdf, text/pdf, text/x-pdf"></cfcase>
<cfcase value="psd"><cfset content_type = "image/photoshop, image/x-photoshop, image/psd, application/photoshop"></cfcase>
<cfcase value="jpg"><cfset content_type = "image/jpeg"></cfcase>
<cfcase value="png"><cfset content_type = "image/png"></cfcase>
<cfcase value="tif"><cfset content_type = "image/tiff"></cfcase>
<cfdefaultcase><cfset content_type = "image/jpeg"></cfdefaultcase>
</cfswitch>

<cfset fileToGetSizeOf = expandPath("./#folder#/#FileDownload#") />


<cfoutput><cfheader name="content-disposition" value="attachment;filename=#FileDownload#"><cfheader name="content-length" value="#getFileInfo(fileToGetSizeOf ).size#" />
<cfcontent type="#content_type#" file="#ExpandPath("./#folder#")#/#FileDownload#" deletefile="#delete_file#"></cfoutput>

Upvotes: 1

Views: 371

Answers (4)

Abhisek Das
Abhisek Das

Reputation: 206

You can use FileExists(absolute_path) function to check for the existence of the downloaded file.

Upvotes: 0

Sergey Galashyn
Sergey Galashyn

Reputation: 6956

There are three goals you want to achieve here:

  1. Serve the files securely. Currently you are not protected from exploiting the system (or other user) files, for example like this (I've set passed values instead of URL keys):

    <cfset folder = "../../../some/other/path/" />
<cfset FileDownload = "some_other_file.pdf" />

  2. Show 404 page if file or directory does not exist any more.

  3. Show some nice page once download starts. Maybe I am missing something, but redirecting user after download started (=headers are sent) is pretty tricky.

Any way, there's pretty simple and reliable solution to all of these.

You should keep the list of the files in database, so each record may include:

  1. Unique ID.
  2. File owner ID.
  3. Directory name.
  4. File name.
  5. Description (optional, you can use filename).
  6. Content type (optional, you still can use approach with extension).
  7. Created date (optional, can be used for scheduled cleaning).
  8. Downloads counter (optional, if you want to limit downloads count).
  9. Status (optional, can be used to prevent filesystem checks for deleted files).

Note: 3-4 may be done as single column ('path/filename.ext') since paths are temporary any way.

So, when your application creates a list of links to download the files and emails the client with the list of links., it also records each file to the database. Each of these links now may look like this:

<a href="http://yourwebsite.tld/download.cfm?file=#ID#">#DESCRIPTION#</a>

When user clicks the link script performs following:

  1. Check if ID exists in DB. If not -- redirect to 404 page.
  2. Check if current user matches the owner ID. If not -- redirect to 404 page.
  3. Check file status, downloads counter (if needs to be limited). If not -- redirect to 404 page.
  4. Check actual file existence using stored directory and filename. If not -- redirect to 404 page.
  5. IF there's a start key in URL: increment the downloads counter, serve the file using cfcontent and content type.
  6. ELSE render the HTML of the page saying "Download will start momentarily, click this link if you don't want to wait" where link looks like download.cfm?file=#ID#&start=yes, plus you have meta http-equiv="refresh" with same URL.

Notes:

  1. Steps 1-4 may be wrapped in single try/catch block with custom errorCode, so you can have one place of redirect.
  2. Trick with step 5 here is that user will stay on the page when clicks the Download link, and wont see blank page. This is not exact solution for goal #3, but it would be hard to make something better without some trickery. Maybe I am wrong and someone could suggest better way here, it'd be cool. You can remove the "Click this link part" to make this page look "natural".

Upvotes: 3

emeier
emeier

Reputation: 111

You can use FileExists to check for the existence and make the decision based on that:

<cfif NOT FileExists(fileToGetSizeOf)>
  <!--- send a 404 --->
<cfelse>
  <!--- send the file --->
</cfif>

Upvotes: 0

Michael Schreiber
Michael Schreiber

Reputation: 11

If your site has a 404 page, you are already directing them to an error page. Or at least your web server is. If you don't have a site wide 404 page set up, make it a cfm page to give you some extra functionality (logging, alerting, etc)

Upvotes: 0

Related Questions