Downloading File from Outside Web Root

What you have there is production ready. However, there is room for some minor improvements, so I will point those out for you. Also see my notes below regarding X-Sendfile and X-Accel-Redirect.

Replace these lines:

ob_clean();
flush();

with the following:

while (@ob_end_clean());

The point is, if there is something already in the output buffer, you don’t want to flush it out, you only want to clean it. If you flush it, you’ll be prefixing your downloadable file contents with the output buffer contents, which would only serve to corrupt the downloadable file. See: http://php.net/manual/en/function.ob-end-clean.php

After this line:

$file = /path/to/file/above/root.zip;

Add the following to ensure GZIP compression at the server-level is turned off. This might not make a difference at your current web host, but move the site elsewhere and without these lines you could see the script break badly.

@ini_set('zlib.output_compression', 0);
if(function_exists('apache_setenv')) @apache_setenv('no-gzip', '1');
header('Content-Encoding: none');

Caution: Be wary of using this PHP-driven file download technique on larger files (e.g., over 20MB in size). Why? Two reasons:

  • PHP has an internal memory limit. If readfile() exceeds that limit when reading the file into memory and serving it out to a visitor, your script will fail.

  • In addition, PHP scripts also have a time limit. If a visitor on a very slow connection takes a long time to download a larger file, the script will timeout and the user will experience a failed download attempt, or receive a partial/corrupted file.

Caution: Also be aware that PHP-driven file downloads using the readfile() technique do not support resumable byte ranges. So pausing the download, or the download being interrupted in some way, doesn’t leave the user with an option to resume. They will need to start the download all over again. It is possible to support Range requests (resume) in PHP, but that is tedious.

In the long-term, my suggestion is that you start looking at a much more effective way of serving protected files, referred to as X-Sendfile in Apache, and X-Accel-Redirect in Nginx.

X-Sendfile and X-Accel-Redirect both work on the same underlying concept. Instead of asking a scripting language like PHP to pull a file into memory, simply tell the web server to do an internal redirect and serve the contents of an otherwise protected file. In short, you can do away with much of the above, and reduce the solution down to just header('X-Accel-Redirect: ...').

Related Posts:

  1. HTTP Security Headers in wp-config
  2. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  3. 404/500 error on content images if Referer header is from another domain [closed]
  4. WordPress – tracking options
  5. what is a auth_user_file.txt?
  6. How to view PHP on live site
  7. Is moving wp-config outside the web root really beneficial?
  8. Hide the fact a site is using WordPress?
  9. Verifying that I have fully removed a WordPress hack?
  10. Can I Prevent Enumeration of Usernames?
  11. Best way to eliminate xmlrpc.php?
  12. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  13. Should I remove install.php and install-helper.php?
  14. Are Nonces Useless?
  15. What is the difference between esc_html filter vs attribute_escape filter?
  16. How do I technically prove that WordPress is secure?
  17. Which KSES should be used and when?
  18. How do WordPress Nonces Work?
  19. How can I easily verify a core or plugin update has not broken anything?
  20. Disable comment windows for all existing posts (pages/blogposts)
  21. Generate WordPress salt
  22. Vanilla WordPress install, what can/should I put in disable_functions?
  23. Stop wordpress automatically escaping $_POST data
  24. Secure my “add_settings_field” translation?
  25. how can i embed wordpress backend in iframe
  26. Handling nonces for actions from guests to logged-in users
  27. WordPress Logout Only If User Click Logout or If User Delete Browser History
  28. Can I force a password change?
  29. How brute-forcer knows that the password is cracked for target username?
  30. wp_insert_post disable HTML filter
  31. What is pclzip.lib.php file that wordfence think it’s a malicious code
  32. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  33. How to disable XML-RPC from Linux command-line in a total way?
  34. How to remove javascript malware in wordpress site [closed]
  35. Completely remove the author url
  36. Securing my WordPress Files and Directories
  37. Restricting access to content
  38. About WordPress site security
  39. Relative security of different releases of WordPress
  40. Is there any point setting the keys and salts in wp-config.php?
  41. Where to store OAuth 2.0 client id and secret?
  42. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  43. Using HTACCESS for Secret Access
  44. Definitive wordpress directory ownership and permissions on linux
  45. Changing Table Prefixes – once done, am I good to go going forward?
  46. wordpress website host price and security [closed]
  47. Are there security risks in working directly in the themes folder that builds into a theme folder?
  48. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  49. Secure WordPress: Change admin
  50. Changing the default header name
  51. how much information can we hide when using wordpress cms?
  52. Is it safe to use a global wp nonce per user instead of a nonce per action?
  53. Wordfence detects change in wp-admin/includes/upgrade.php
  54. Basic password protection without using users and roles
  55. System setting changed by system user
  56. Does meta-data need to be sanitized?
  57. Will there be security updates for WordPress 4.9.9
  58. Any known bugs that could cause disappearance of the wp_users table?
  59. On new server, site got hacked, permissions a bit strange? Please help
  60. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  61. Restrict Access without Creating Users
  62. Switching between security plugins is a risk?
  63. How to obfuscate wp-config.php or code
  64. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  65. How to prevent to direct access of my custom plugin folder/files
  66. Checking for origin of a xmlrpc request
  67. RESTRICT EDIT of PHP files?
  68. wp-content – permissions for files/folders created by apache
  69. How can I restrict access to specific parts of a page, not just the page itself?
  70. User generated content and security
  71. Are major WordPress updates mandatory for security?
  72. i moved wp-config.php outside of public html and this broke my website
  73. Monitor wordpress all external calls
  74. Is it safe to use the basic administration with reduced rights for private member space
  75. Securing WordPress running on Azure platform
  76. Verifying that I have fully removed a WordPress hack?
  77. Spam Registrations
  78. How can I have more confidence that WP plugins aren’t getting and storing user data?
  79. Standard Method for Securing a WordPress Site
  80. wordpress security (only one part of the site)
  81. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  82. Any way to disable /wp-login.php redirecting to the site folder?
  83. Folder Permissions + Security Concerns
  84. Malware/Permission bug removal?
  85. Could a user account with a stolen password compromised entire WP site?
  86. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  87. Secure a WordPress website in 2019: one plugin or a combinations of them?
  88. What are the different types of firewall protections available for a WordPress website?
  89. Run a security scan on WordPress site that has .htaccess password [closed]
  90. Is this a WordPress security bug?
  91. Competitor is somehow accessing MetaData on a hidden WordPress site
  92. WordPress Hacks/Defacing [closed]
  93. Directory to store secure file
  94. How can I give someone server access to only duplicate and modify a site?
  95. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  96. How can I implement ansible with per-host passwords, securely?
  97. Why should I firewall servers?
  98. Does drilling a hole into a hard drive suffice to make its data unrecoverable?
  99. Can you alter the default wordpress strong password requirements?
  100. how to sanitizing $_POST with the correct way?