public function executeFile(sfWebRequest $request) { $file = $request->getParameter('filename'); $type = $request->getParameter('type'); switch ($type) { case 'backup': $apl = new Appliance(); $base_dir = $apl->get_archive_base_dir(); break; default: break; } if (!$base_dir) { return sfView::NONE; } $path = realpath($base_dir . '/' . $file); // if base_dir isn't at the front 0==strpos, most likely hacking attempt if (strpos($path, $base_dir)) { die('Invalid Path'); } elseif (file_exists($path)) { $this->prepareDownload($file); readfile($path); } else { die('Invalid Path'); } return sfView::NONE; }