Although there is a check for legal characters and one has to know the filename in order to be able to download it.
But obviously, I have to work more on that issue and will be updating the file to include more security.
carmelo
]]>Sharing it in the public domain will help get rid of such vulnerabilities rather than live with "security thru obscurity".
]]>carmelo
]]>I created a file in fa/reporting called xlssend.php containing the following code:
<?php
$filename = htmlspecialchars($_GET['fn']);
$unique = htmlspecialchars($_GET['un']);
header("Content-type: application/vnd.ms-excel");
header("Content-Disposition: attachment; filename='$filename'" );
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
header("Pragma: public");
echo file_get_contents($unique);
?>Then I modified the file FA/reporting/prn_redirect.php as follows:
if (isset($_GET['xls']))
{
$filename = $_GET['filename'];
$unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);
$path = company_path(). '/pdf_files/';
// header("Content-type: application/vnd.ms-excel");
// header("Content-Disposition: attachment; filename='$filename'" );
// header("Expires: 0");
// header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
// header("Pragma: public");
// echo file_get_contents($path.$unique_name);
header("Location: xlssend.php?fn=$filename&un=$path$unique_name"); /* Redirect browser */
exit();
}
elseif (isset($_GET['xml']))That's it.
Hope this will be useful for others.
Carmelo
]]>@carmelr can post the code and location of file include here and/or in the wiki for anyone encountering this problem.
]]>Moving it out was the only way to get rid of them.
Carmelo
]]>I made a test here in my Environment and I got NO 4 spaces (0x20) in front of the file.
But if any other have the same problems as Carmelr, please Contact him.
/Joe
]]>I created another file that handles just the download of the excel file and passed the necessary parameters to it.
Now file downloads as it should and opens into Excel without a hitch.
I can share the code with anyone who is having similar problems.
Carmelo
]]>Replace the line with:
$abc = "Content-Disposition: attachment; filename='$filename'"; header($abc);
Same results 
I have done more tests as follows:
I inserted an echo 'Testing'; right after
If (isset(G_GET['xls']))
{
and tried again a report.
Now the file contains 4 spaces and Testing.
Then I added the following commands after the echo line and or before the first header line:
flush();
ob_clean();
ob_end_clean();
For all of the above, only the four spaces are prepended to the file.
I believe that somehow, these four spaces are being sent to the browser from a different part of the code and the flush or the ob_clean is not clearing these spaces from the buffers.
I come to this conclusion because the spaces were added even before the word 'Testing' sent before the filename was created.
]]>$abc = "Content-Disposition: attachment; filename='$filename'";
header($abc);
This is a browser encoding issue. Try to set the browser encoding to Western and then to Unicode and see the difference. Also what platforms and browsers have you tried? What about a browser in Linux? The major ones - IE 8, FF24+, Chrome (I haven't tesed it), etc should have their own quirks for encoding settings. Also see if there are any line endings that may be dos instead of unix style in the scripts.
Also try to upload a good xls file to the server and download it back to see if there are any differences.
Thanks apmuthu. I know that the file generated by FA on the Ubuntu server is good as when I downloaded it to my PC using Filezilla the file opened in Excel.
Also, when I created the few lines of php code in a separate file to download the file generated by FA through my browser, the file opened in Excel.
Then when I changed the code in FA to use the readfile function (like in the php file I created) the spaces appeared again.
For this reason I don't think that it is a browser problem or an encoding problem. I do think, though, that FA is setting something internally and is causing the 4 spaces to be prepended to the file.
Carmelo
]]>Replace line 36 in reporting/prn_redirect.php
header("Content-Disposition: attachment; filename=$filename" );with
header("Content-Disposition: attachment; filename='$filename'");Or try swapping the single and double quotes in the replacement as well.
]]>So I created the following file on the server:
<?php
header('Content-type: application/vnd.ms-excel');
header('Content-Disposition: attachment; filename="test.xls"');
readfile('pdf_files/test.xls');
?>called the file and it works. It sends the file and opens in Excel
So I changed prn_redirect.php to be like the above and the spaces where still being added at the beginning of the file.
This means that there is some setting within FA that is causing this.
I did a lot of research online trying to find what is causing this problem, but I cannot find a solution.
Any assistance would be greatly appreciated.
TIA
Carmelo