DownloadManager::downloadSpeed incorrectly html-escapes the downloaded file. about phpsec HOT 5 CLOSED

it shouldn't be
please fix and push

Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 22, 1392, at 4:38 AM, SvenRtbg [email protected] wrote:

Why "echof" near line 230?

echof(fread($f, $advanceBy)); //read the specified number of bytes.

—
Reply to this email directly or view it on GitHub.

from phpsec.

Doubt: The purpose of this function is to serve data in pieces to the
browser. By using "echo" we were redirecting the data to the console. But
how is this data going back to the browser in these pieces. What I am
asking is suppose the user asked me to read bytes 1000 to 5000. My
bandwidth limit is to read 1000 bytes at once and resumable flag is true. So,
every time 1000 bytes are read, will that data be directly passed to the
browser, or the system will wait till all the data is been collected and
then send to the browser?? But then what is the difference between
resumable flag on or off. It just specifies how many bytes to read. How
will the browser actually resume download ?? My guess to the second
question is that the secret lies in how many bytes read. If resumable is
on, then less bytes will be read at a time and so if the user pauses
download, then the fseek will tell the last position till data has been
read. But with reading large bytes at a time, the problem is that if
paused, you again have to read the whole data.

On Tue, Aug 13, 2013 at 5:42 AM, AbiusX [email protected] wrote:

it shouldn't be
please fix and push

---

Notice: This message is digitally signed, its source and integrity are
verifiable.
If you mail client does not support S/MIME verification, it will display a
file (smime.p7s), which includes the X.509 certificate and the signature
body. Read more at Certified E-Mail with Comodo and Thunderbird in
AbiusX.com

On Mordad 22, 1392, at 4:38 AM, SvenRtbg [email protected]
wrote:

Why "echof" near line 230?

echof(fread($f, $advanceBy)); //read the specified number of bytes.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/60#issuecomment-22535336
.

Regards,
Rahul Chaudhary
Ph - 412-519-9634

from phpsec.

you're wrong on this.

first, apache handles the output from php to the browser. you just need to flush it if you want it received.
second, resumable downloads are handled using HTTP_RANGE, i.e the browser asks for bytes 1000 to 5000, and server serves those bytes.
-A

Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 22, 1392, at 12:28 PM, Rahul Chaudhary [email protected] wrote:

Doubt: The purpose of this function is to serve data in pieces to the
browser. By using "echo" we were redirecting the data to the console. But
how is this data going back to the browser in these pieces. What I am
asking is suppose the user asked me to read bytes 1000 to 5000. My
bandwidth limit is to read 1000 bytes at once and resumable flag is true. So,
every time 1000 bytes are read, will that data be directly passed to the
browser, or the system will wait till all the data is been collected and
then send to the browser?? But then what is the difference between
resumable flag on or off. It just specifies how many bytes to read. How
will the browser actually resume download ?? My guess to the second
question is that the secret lies in how many bytes read. If resumable is
on, then less bytes will be read at a time and so if the user pauses
download, then the fseek will tell the last position till data has been
read. But with reading large bytes at a time, the problem is that if
paused, you again have to read the whole data.

On Tue, Aug 13, 2013 at 5:42 AM, AbiusX [email protected] wrote:

it shouldn't be
please fix and push

---

Notice: This message is digitally signed, its source and integrity are
verifiable.
If you mail client does not support S/MIME verification, it will display a
file (smime.p7s), which includes the X.509 certificate and the signature
body. Read more at Certified E-Mail with Comodo and Thunderbird in
AbiusX.com

On Mordad 22, 1392, at 4:38 AM, SvenRtbg [email protected]
wrote:

Why "echof" near line 230?

echof(fread($f, $advanceBy)); //read the specified number of bytes.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/60#issuecomment-22535336
.

Regards,
Rahul Chaudhary
Ph - 412-519-9634
—
Reply to this email directly or view it on GitHub.

from phpsec.

ummm...actually thats my doubt:

1. We need to flush the o/p. So then using echo is wrong ?? What should we
   use ?

2. How does the server serves the file. I mean how it does it internally.
   HTTP-Range specifies what bytes to read, I read the files, flushed the read
   bytes...and server serves it. Just like that...??

On Tue, Aug 13, 2013 at 1:38 PM, AbiusX [email protected] wrote:

you're wrong on this.

first, apache handles the output from php to the browser. you just need to
flush it if you want it received.
second, resumable downloads are handled using HTTP_RANGE, i.e the browser
asks for bytes 1000 to 5000, and server serves those bytes.
-A

---

Notice: This message is digitally signed, its source and integrity are
verifiable.
If you mail client does not support S/MIME verification, it will display a
file (smime.p7s), which includes the X.509 certificate and the signature
body. Read more at Certified E-Mail with Comodo and Thunderbird in
AbiusX.com

On Mordad 22, 1392, at 12:28 PM, Rahul Chaudhary [email protected]
wrote:

Doubt: The purpose of this function is to serve data in pieces to the
browser. By using "echo" we were redirecting the data to the console.
But
how is this data going back to the browser in these pieces. What I am
asking is suppose the user asked me to read bytes 1000 to 5000. My
bandwidth limit is to read 1000 bytes at once and resumable flag is
true. So,
every time 1000 bytes are read, will that data be directly passed to the
browser, or the system will wait till all the data is been collected and
then send to the browser?? But then what is the difference between
resumable flag on or off. It just specifies how many bytes to read. How
will the browser actually resume download ?? My guess to the second
question is that the secret lies in how many bytes read. If resumable is
on, then less bytes will be read at a time and so if the user pauses
download, then the fseek will tell the last position till data has been
read. But with reading large bytes at a time, the problem is that if
paused, you again have to read the whole data.

On Tue, Aug 13, 2013 at 5:42 AM, AbiusX [email protected]
wrote:

it shouldn't be
please fix and push

---

Notice: This message is digitally signed, its source and integrity are
verifiable.
If you mail client does not support S/MIME verification, it will
display a
file (smime.p7s), which includes the X.509 certificate and the
signature
body. Read more at Certified E-Mail with Comodo and Thunderbird in
AbiusX.com

On Mordad 22, 1392, at 4:38 AM, SvenRtbg [email protected]
wrote:

Why "echof" near line 230?

echof(fread($f, $advanceBy)); //read the specified number of bytes.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub<
https://github.com/OWASP/phpsec/issues/60#issuecomment-22535336>
.

Regards,
Rahul Chaudhary
Ph - 412-519-9634
—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/60#issuecomment-22549139
.

Regards,
Rahul Chaudhary
Ph - 412-519-9634

from phpsec.

1. echo is fine. echof is also fine, but is usually intended for HTML output to be XSS-safe.
2. yes. you just output them and die. apache will buffer and deliver to browser. if browser cancels, apache also sends exit signal to your php app.

   ---

   Notice: This message is digitally signed, its source and integrity are verifiable.
   If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 22, 1392, at 12:44 PM, Rahul Chaudhary [email protected] wrote:

ummm...actually thats my doubt:

1. We need to flush the o/p. So then using echo is wrong ?? What should we
   use ?

2. How does the server serves the file. I mean how it does it internally.
   HTTP-Range specifies what bytes to read, I read the files, flushed the read
   bytes...and server serves it. Just like that...??

On Tue, Aug 13, 2013 at 1:38 PM, AbiusX [email protected] wrote:

you're wrong on this.

first, apache handles the output from php to the browser. you just need to
flush it if you want it received.
second, resumable downloads are handled using HTTP_RANGE, i.e the browser
asks for bytes 1000 to 5000, and server serves those bytes.
-A

---

Notice: This message is digitally signed, its source and integrity are
verifiable.
If you mail client does not support S/MIME verification, it will display a
file (smime.p7s), which includes the X.509 certificate and the signature
body. Read more at Certified E-Mail with Comodo and Thunderbird in
AbiusX.com

On Mordad 22, 1392, at 12:28 PM, Rahul Chaudhary [email protected]
wrote:

Doubt: The purpose of this function is to serve data in pieces to the
browser. By using "echo" we were redirecting the data to the console.
But
how is this data going back to the browser in these pieces. What I am
asking is suppose the user asked me to read bytes 1000 to 5000. My
bandwidth limit is to read 1000 bytes at once and resumable flag is
true. So,
every time 1000 bytes are read, will that data be directly passed to the
browser, or the system will wait till all the data is been collected and
then send to the browser?? But then what is the difference between
resumable flag on or off. It just specifies how many bytes to read. How
will the browser actually resume download ?? My guess to the second
question is that the secret lies in how many bytes read. If resumable is
on, then less bytes will be read at a time and so if the user pauses
download, then the fseek will tell the last position till data has been
read. But with reading large bytes at a time, the problem is that if
paused, you again have to read the whole data.

On Tue, Aug 13, 2013 at 5:42 AM, AbiusX [email protected]
wrote:

it shouldn't be
please fix and push

---

Notice: This message is digitally signed, its source and integrity are
verifiable.
If you mail client does not support S/MIME verification, it will
display a
file (smime.p7s), which includes the X.509 certificate and the
signature
body. Read more at Certified E-Mail with Comodo and Thunderbird in
AbiusX.com

On Mordad 22, 1392, at 4:38 AM, SvenRtbg [email protected]
wrote:

Why "echof" near line 230?

echof(fread($f, $advanceBy)); //read the specified number of bytes.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub<
https://github.com/OWASP/phpsec/issues/60#issuecomment-22535336>
.

Regards,
Rahul Chaudhary
Ph - 412-519-9634
—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/60#issuecomment-22549139
.

Regards,
Rahul Chaudhary
Ph - 412-519-9634
—
Reply to this email directly or view it on GitHub.

from phpsec.