OpenCart Community

Is there any way to protect downloads from download unless a valid purchase has been made (ie, a specially formatted URL that both verifies the download and provides a page to actually download the file)? Right now I can download a file if I know the name. What kind of joke is that? If not, then why would OpenCart include such a poorly implemented feature in their software?

You upload downloadable files THROUGH OC NOT VIA FTP into /download/ precisely because OC "hashes" the filespecs in order to prevent unauthorized downloading and to require that prepaid customers log in before downloading what they paid for. That is not a joke. If you were to upload pre-hashed files, then only you would have the foggiest idea what the filespecs are, but that would still not be a joke. The feature is not poorly implemented. It already provides for, and provides, "a specially formatted URL" by way of the hash "that both verifies the download and provides a page" consisting of the account itself for authorized downloading only by prepaid customers who are logged into their accounts.

Hackers are a risk but they will normally not be interested in your downloads. When they use /download/ they generally seek to inject code for mime attack. If you see ANY files named *jpg* or route?* or *.php.* get rid of those and ensure that your permissions are still 755 directories and 644 files. Be certain that your zero-byte (or a 44-byte) /download/index.html is in place, and that .htaccess in the root prohibits viewing directory content, so that the most they would be able to shop for is index.html and see preferably only white.

jmanko wrote:Is there any way to protect downloads from download unless a valid purchase has been made (ie, a specially formatted URL that both verifies the download and provides a page to actually download the file)? Right now I can download a file if I know the name. What kind of joke is that? If not, then why would OpenCart include such a poorly implemented feature in their software?

can someone so easily guess the uploaded file's name. Also, change your download directory and they won't find it too

MarketInSG wrote: can someone so easily guess the uploaded file's name. Also, change your download directory and they won't find it too

I resolved this. Problem was a combination of .htaccess not there and misconfiguration on my part. Thanks for the input.

butte wrote: Be certain that your zero-byte (or a 44-byte) /download/index.html is in place, and that .htaccess in the root prohibits viewing directory content, so that the most they would be able to shop for is index.html and see preferably only white.

You were spot on with this suggestion, butte. Thank you. For some reason my .htaccess was renamed to htaccess.txt.