I’ve been running this test on my website for days now and it still baffles me.
I have a zip file on my server. Within the zip file is a single text file that contains the phrase “this is a test”.
In my file api.php, I have the following code:
<?php $originalFileName = "test.zip"; header("content-encoding: none"); header("Content-Type: application/zip"); header("Content-Disposition: attachment; filename=\"" . "test.zip" . "\""); header("Content-Length: " . filesize($originalFileName)); readfile($originalFileName); ?>
When I visit the api.php file in firefox. It prompts to download “test.zip” with a file size of 128 bytes.
When I click save. It creates the file on my desktop, but the file is 0 bytes in size and is empty.
If I visit the url using the direct IP address i.e. http://192.0.0.1/api.php
It downloads the zip file and contains the text file as its suppose to.
The domain is under cloudflare with the caching disabled and developer mode on so it shouldn’t be that different.
I used firefox’s dev tools to copy the responses from the domain request and the ip request
Domain request - This makes the 0 byte empty zip file
HTTP/1.1 200 OK Date: Sat, 01 Jun 2019 10:15:22 GMT content-disposition: attachment; filename="test.zip" Content-Length: 128 Content-Type: application/zip content-encoding: none Connection: keep-alive X-Powered-By: PHP/7.2.16 Vary: User-Agent Alt-Svc: h2=":443"; ma=60 CF-RAY: 4e006d0d4e615629-ORD Server: cloudflare UEsDBBQAAAAAADEcwU7q5x4NDgAAAA4AAAAIAAAAdGVzdC50eHR0aGlzIGlzIGEgdGVzdFBLAQIUABQAAAAAADEcwU7q5x4NDgAAAA4AAAAIAAAAAAAAAAEAIAAAAAAAAAB0ZXN0LnR4dFBLBQYAAAAAAQABADYAAAA0AAAAAAA=
Direct IP request - This makes the 128 byte zip file
HTTP/1.1 200 OK Date: Sat, 01 Jun 2019 10:15:57 GMT content-disposition: attachment; filename="test.zip" content-length: 128 Content-Type: application/zip content-encoding: none Connection: Upgrade, Keep-Alive X-Powered-By: PHP/7.2.16 Upgrade: h2,h2c Vary: User-Agent Keep-Alive: timeout=5 Server: Apache UEsDBBQAAAAAADEcwU7q5x4NDgAAAA4AAAAIAAAAdGVzdC50eHR0aGlzIGlzIGEgdGVzdFBLAQIUABQAAAAAADEcwU7q5x4NDgAAAA4AAAAIAAAAAAAAAAEAIAAAAAAAAAB0ZXN0LnR4dFBLBQYAAAAAAQABADYAAAA0AAAAAAA=
Both the response payloads are identical and besides a few tiny changes in the response headers.
Such as the letter casing and the cloudflare headers.
I don’t see any reason why the zip file should be 0 bytes when trying to save the download prompt through the domain.
When I press ctrl+j to view the download history. It looks fine for the direct ip download on the bottom and a weird message for the top domain one.
Additionally, I’ve tried to make my PHP script output the exact same headers as the when I do the direct ip download.
However, it seems cloudflare (even when disable mode is on) strips out the “Connection” header whenever I set it.
Does anyone have any suggestions on how to solve this?
Edit: Additional info, it only does this issue with zip files.
It works fine with text and 7z files.