以正确的文件名安全地下载浏览器内的文件 [英] Securly download file inside browser with correct filename

问题描述

我正在一个网站上做一些工作，该网站的安全区域只有在用户登录后才可以使用。在这个区域中有一个页面可以下载到pdf文档的链接。物理文档位于网站的根目录之外。到pdf文档的链接看起来像这样：

I am doing some work on a web site that has a secure area which is available to users only after they have logged in. In this area there is a page with links to pdf documents which can be downloaded. The physical documents are outside of the web site's root directory. The links to the pdf documents look something like this:

index.php？page = secure-area / download& file = protected.pdf

index.php?page=secure-area/download&file=protected.pdf

其中执行以下操作（注意：我知道这是强制下载的方式，而不是在浏览器中打开 内的文件）：

Which executes the following (note: I know this is the way to force a download rather than open the file inside the browser):

// check security, get filename from request, prefix document download directory and check for file existance then...

header('Content-Type: application/pdf');
header('Content-Disposition: attachment; filename="' . basename($file) . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
header('Connection: Close');
set_time_limit(0);
readfile($file);

这个功能很好，但在Firefox 3和Internet Explorer 7中（我没有使用任何其他浏览器进行测试）将不会在浏览器中打开此文件，它们都显示下载对话框（如预期）。如果我选择打开而不是保存，则文档被下载，Adobe Reader在浏览器外部启动，以呈现文档。

This works well but in Firefox 3 and Internet Explorer 7 (I haven't tested with any other browser) won't open this file inside the browser, they both show the download dialog box (as expected). If I select Open rather than Save, the document is downloaded and Adobe Reader is started outside of the browser to render the document.

我正在下载的问题浏览器中的文件，并保存正确的默认文件名。

我希望文档在浏览器中打开。一种方法是使用头Content-Disposition：inline;但这意味着我无法指定文件名（因为浏览器似乎被忽略）。这样做的问题是当我保存文档时，默认名称是URL的名称，而不是pdf文档的文件名：

I would like the document to open in the browser. One way of doing this is using the header "Content-Disposition: inline;" but this means that I can't specify a filename (because is seems to be ignored by the browser). The problem with doing that is when I save the document, the default name is that of the URL, not the filename of the pdf document:

http___example.com_index.php_page=secure_area_download&file=protected.pdf

如何获取Firefox和Internet Explorer在浏览器中打开文档并提供正确的默认文件名保存？

How can I get Firefox and Internet Explorer to open the document inside the browser and provide the correct default filename to save?

推荐答案

我终于来了解决这个问题的一个工作。

I've finally come up with a work around for this problem.

尽管RFC 2183显示文件名参数可以用于Content-Disposition头字段的附件和内联，但似乎当使用内联时，浏览器忽略文件名参数，而是尝试根据URL来确定文件名。如果URL没有查询字符串，那么最后一个URL似乎被用作文件名。

Although the RFC 2183 shows that a filename parameter can be used for both attachment and inline for the Content-Disposition header field, it seems that browsers ignore the filename parameter when inline is used but rather try to work out what the filename should be based on the URL. If the URL has no query string then the part of the URL that follows the last / seems to be used as the filename.

我已经更改了下载受保护的链接PDF文档使用不包含查询字符串的漂亮网址，并使用带有.htaccess文件的mod_rewrite来转换这些漂亮的网址，以使用正确的参数执行正确的脚本：

I have changed the links that download the protected PDF documents to use nice URLs that don't contain a query string and use mod_rewrite with a .htaccess file to convert those nice URLs to execute the correct script with the correct parameters:

旧链接

index.php?page=secure-area/download&file=document.pdf

新链接：

file/secure-area/download/document.pdf 

.htaccess：

.htaccess:

RewriteEngine On
RewriteRule ^file/secure-area/download/(.*)$ index.php?page=secure-area/download&file=$1 [L]

用于实际发送文件的脚本与我相同以前使用（注意问题中的示例使用Content-Disposition：附件，而不是Content-Dispositi on：内联来演示浏览器，当不是内联）时，保存文档具有正确的文件名。

The script used to actually send the file is the same as I used before (note the example in the question uses Content-Disposition: attachment rather then Content-Disposition: inline to demonstrate browsers saving the document with the correct filename when not inline).

// check security, get filename from request, prefix document download directory and check for file existance then...
header('Content-Type: application/pdf');
header('Content-Disposition: inline; filename="' . basename($file) . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
header('Connection: Close');
set_time_limit(0);
readfile($file);

现在PDF文档在浏览器中打开，保存时默认文件名为

Now the PDF document opens inside the browser and when saved the default filename is

document.pdf

而不是

http___example.com_index.php_page=secure_area_download&file=document.pdf

IE 7将文件名中的空格转换为+和单引号至保存时的％27（Firefox不），我想停止从发生，但与此同时，我对我的收获感到满意。

IE 7 converts spaces in the filename to +'s and single quotes to %27's when saved (Firefox doesn't), I would like to stop that from happening but for the meantime I'm happy with what I've got.

这篇关于以正确的文件名安全地下载浏览器内的文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！