download URL is PLAIN text readable

  • Resolved André Appel

    (@aappel-1)


    9 years, 6 months ago

    Hey there!

    Plugin works as expected EXCEPT that after paying in the pop-up the browser gives me the PLAIN URL to the download, so anybody could copy it and share ….
    Where is the feature that is described in the plugin description? (Excerpt:

    “What this plugin does is creates a unique hexidecimal string at install. Then in combination with MD5 encrypts your digital products URL into a string capable of being decoded only by your website. This is medical grade encryption and makes obtaining the download URL nearly impossible.”

    Am I using it the wrong way or do I just have to switch to another plugin?
    Best regards,
    André

    https://www.ads-software.com/plugins/easy-paypal-digital-downloads/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Scott Paterson

    (@scottpaterson)

    Hi aappel,

    The URL is shown in the browser AFTER payment. Is that what you mean?

    Could you please link to your site so I can see it for myself.

    Thanks,
    Scott

    Thread Starter André Appel

    (@aappel-1)

    Yes, the URL is human readable afterwards. The script could just read the “linked” file and pass it to the client without ever revealing the REAL url of the file.. that would be secure. This way it is not!
    I have written code like that, basically you can use PHP fpassthru, as stated in the manual
    https://php.net/manual/en/function.fpassthru.php

    But I dont want to hack around in your plugin :

    The page is:
    https://addicted2photography.eu/hello-world/

    Plugin Author Scott Paterson

    (@scottpaterson)

    This is the way the plugin should work. It is not a feature to hide the URL after payment.

    The plugin cannot read the path directly because I designed it to be lightweight, which means it does not write extra stuff to the DB. The only place the file location is stored is in the page or post. The plugin converts that via a shortcode, and encrypts the URL so it cannot be seen in the source.

    The plugin can encrypt any URL. Therefore if you do not want the end user to see the URL, find another plugin which makes the filepath hidden or limits downloads. Then pass the URL that other plugin gives you to this plugin.

    Thanks,
    Scott

    Thread Starter André Appel

    (@aappel-1)

    Hey Scott,

    sorry to bother you again. I took a look at the code and without additional DB entries and stuff, I managed to add a download script which receives the encrypted “real url” + encrypted timestamp. It then passed through the content from the real URl without ever revealing it.

    If you want to check it out: https://addicted2photography.eu/hello-world/
    (SANDBOX MODE IS ENABLED)

    The time limit is 10 minutes (for testing purposes), afterwards the download link will give you a message that it has expired! So passing the download link along to friends is at least limited….

    Would be awesome to add this to you branch and make it configurable through the plugin settings in WP or something.

    PS: The download is just a debian8.iso image…

    Thread Starter André Appel

    (@aappel-1)

    If anybody needs the modification, poke me….

    Yes please @aappel

    Hello Andre, can you send it to me aswell. Thank you. Tested demo it looks nice

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘download URL is PLAIN text readable’ is closed to new replies.

Tags