masqutti

Thanks!

Yep it got solved. My host had an artificial limit on their shared hosting for PHP-calls to cut “infinite looking” scripts from running indefinetly. So the limit was set to 500MB.. They raised the limit higher so it’s better now, but it still cuts larger files and I’ll have to see if there’s anything to be done from my end to improve the situation..

– Toni

OK! Turns out there’s a way to do this securely!

First a HUGE WARNING to everyone who uses straight http://address in their product downloads! a Customer can see the original URL from example Google Chrome Console when the download starts, EVEN IF the orifinal URL is scrambled by woocommerce! It’s a light protection that can be overridden by anyone who knows a little how to use a browser debug tools(about every teenager these days).

If you still use this, couple of settings gives you some protection but won’t save your day:

– Use .htaccess with Options -Indexes -line that prevents your website’s folder browsing.

– in woocommerce you must use “Downloads Require Login”-setting to prevent Guest-links that will work for anyone too.

– propably a wise idea to limit the download amount to something other than infinite if something like group payment happens and lots of people download your product. but this isn’t that much about the security but a partial countermeasure to abuse..

My advice: don’t EVER USE http:// -address based download product files!

Correct solution for small php max upload size-servers:
Always use this. I tested and it works & gives you safe download files that cannot be breached through without heavy hacking (or at least not every kid can get your product for free…)

– Always use the woocommerce Add File Button. Always upload a new download product file through that to make sure the woocommerce folder protection applies to it. You can check it in you website’s file manager that the file uploaded into uploads/woocommerce/year/month -folder, and that the uploads/woocommerce -folder has .htaccess in it that has a line “deny from all”. This makes sure no-one will get your files without a bought product.

Here’s the interesting tip:
– If your download product file is too large for your server to handle via HPH (woocommerces add file-function), create a “fake file” that has the name of the product you wish it to have. The file extension HAS to match too, so for example it could be a dummy object named “mybook.pdf” or “productX.zip”. The dummy object should have something in it to prevent it being 0 size, it needs to have a couple of bytes for wordpress to accept it. But when it does accept a small file, the file will upload correctly to woocommerce as a download product.

– Now, just open your website’s filebrowser or FTP-software of your choice, connect, delete the dummy file, and upload the large (the real one) download product into the same exact folder where the dummy file was in.

– Voilá! You now have a large file, finished product, available for your customers to download, even if your server’s PHP upload max filesize would be under a megabyte!

There you have it, if it is denying all, you can’t access then. You would have to create some sort of ticket/session system and obfuscate the path with the header() function, I guess, so you could give out any name/path you wanted and still preserve the original path.

Would this be something woocommerce does? I mean, the woocommerce uploads to the same folders I uploaded the file (uploads/woocommerce/year etc), and still woocommerce can access the file it uploaded itself, but I can’t direct access it in any way. So this confuses me and there must be something woocommerce does for it’s own uploads to access them..

But I guess you’re right if there’s no “easy” solutions. It’ll delay the shop opening and a hassle to transfer the domain & setting up the whole shop elsewhere and I would’ve liked to avoid that.. 🙁

• This reply was modified 9 years, 5 months ago by masqutti.