Override json encoding in rest api
https://wordpress.stackexchange.com/questions/386882
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
I'm trying to create a secure download plugin.
I found the rest api the best option for this task, but i cant change headers like Content-Type:. In the register_rest_route callback these headers already set.
If i set Content-disposition: attachment, filename=asd.txt i get ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION in chrome.
I know rest is not meant to handle these tasks, but i couldn't find any alternatives. If there is, pls tell me about it.
The data downloaded seems like it's json encoded.
I'm sick of wordpress "magic". These tasks would be so easy using plain PHP but wordpress just makes it complicated.
Please someone tell me how to disable these magic headers *** or recommend me a way for secured (php) downloads in my plugin.
(No, i don't want to use third party plugins. I've tried many of them. None of them worked so far... :D These whole wordpress thing is a huge step backwards after symfony...)
Here is my experimental code:
add_action('rest_api_init', function() {
register_rest_route('secure-downloads/v1', '/download/(?P<filename>.*)',
array(
'methods' => 'GET',
'callback' => 'secure_downloads_handle_download'
));
});
function secure_downloads_handle_download(WP_REST_Request $request)
{
$filename = urldecode($request->offsetGet('filename'));
if(strpos($filename, '/..'))
{
return new WP_REST_Response('', 403);
}
$path = SECURE_DOWNLOADS_UPLOAD_DIR . $filename;
return new WP_REST_Response(file_get_contents($path), 200, array(
'Content-Type' => 'application/octet-stream',
'Content-Transfer-Encoding' => 'Binary',
'Content-disposition' => 'attachment, filename=\\' . $filename . '\\'
));
}
解决方案 2
Here is what i found out:
The ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION error was the bad composition of the Content-Disposition header. Here is the correct one:
array(
'Content-Disposition' => 'attachment; filename="' . $filename . '"'
)
Note the semicolon after attachment, the doublequotes around the filename and the capital D in disposition word as @Tom J Nowell pointed out.
This solved the headers problem but the WP_REST_Response still outputs the files like they were json encoded. So i went the conventional way:
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Content-Type: application/octet-stream');
readfile($path);
exit;
其他提示
It should be enough to add the content disposition field.
But specifically it's Content-Disposition not Content-disposition
I would also add some validation to your filename parameter thats being passed to file_get_contents to ensure it exists and it's valid. Else you might be vulnerable to directory traversal attacks or remote URL requests
There is a hook for exactly this situation that avoids prematurely stopping script execution, and maintains WP's handling of HEAD method requests. Put something similar to this in your REST response handler function:
$your_served = false;
$your_content = $something;
add_filter(
'rest_pre_serve_request',
function($served, $result, $request, $rest_server) use (&$your_served, &$your_content) {
if (!$served) {
if ($your_served) {
$served = $your_served;
}
else {
add_filter(
'rest_pre_echo_response',
function($result, $rest_server, $request) use (&$your_served, &$your_content) {
# serve $your_content here but do not return or exit, in this case readfile() would be optimal
$your_served = true;
return null; # explicitly prevent WP sending the normal JSON response
},
10, # change priority to suit
3
);
}
}
return $served;
},
10, # change priority to suit
4
);
$result = new WP_REST_Response();
$result->set_headers([
'Content-Type' => $your_content_type,
# you may include others such as 'Content-Length'
]);
return $result;
