creating a download link

okay so I have this anchor tag:

<a href="{!! URL::route('download.task', $attributes = ['project' => $task->project->slug, 'task' => $task->slug, 'download' => $task->file_url]) !!}"><i class="icon-download-alt"> </i> Download File</a>

then I have this route"

$router->get('{project}/{task}/{download}', ['as' => 'download.task', 'uses' => 'Tasks\TaskController@getDownloadFile']);

here is the function:

public function getDownloadFile($project, $task ,$download)
{
    $file = public_path(). "/media/file_uploads/$download";

    return response()->download($file, $download);
}

however when i click on that link it takes me to the actual link with this error:

The requested resource /project/task/file.jpg was not found on this server.

it never hits the method is just goes straight to the url

bashy

11 years ago

Level 65

Firstly, that method is so exploitable, shouldn't just allow the $download var to be put in the include path directly without any validation. http://en.wikipedia.org/wiki/File_inclusion_vulnerability

Secondly, the route you have probably isn't picking that up. Do the 3 parts of the URI need to be dynamic? '{project}/{task}/{download}' will match /abc/abc/abc or 1/2/3, as long as there's 3 segments.

Thirdly, not sure if {download} will pick up abc.jpg, you may need to put {download}.{type} or something.

Please or to participate in this conversation.