Downloading image from fancybox results in "download.txt" being sent to client and download fails with "forbidden"

SeToY

Well-known member
Hello there,

I think this has something to do with either my forum setup (on IIS) or the web.config that was rolled out since we started using XenForo 1.5 (and later upgraded to 2.2).

Every time I try to download an image from the fancybox, my browser prompts me to store a "download.txt" instead of the actual image. When actually trying to download the file, the download errors out with a "Failed - Forbidden".

Anyone knows where I might start the investigation?

Thanks!
 

Brogan

XenForo moderator
Staff member
Does your web.config look like this?

XML:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Imported Rule 1" stopProcessing="true">
                    <match url="^.*$" />
                    <conditions logicalGrouping="MatchAny">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" />
                    </conditions>
                    <action type="None" />
                </rule>
                <rule name="Imported Rule 2" stopProcessing="true">
                    <match url="^(data|js|styles|install)" />
                    <action type="None" />
                </rule>
                <rule name="Imported Rule 3" stopProcessing="true">
                    <match url="^.*$" />
                    <action type="Rewrite" url="index.php" />
                </rule>
            </rules>
        </rewrite>
        <httpErrors existingResponse="PassThrough" />
    </system.webServer>
</configuration>
 

SeToY

Well-known member
It contained those rules, but also others. I figured out what the issue was, thank you.

Apparently the download handler does not pass an "accept" header to the server, which I had disabled due to DDoS issues:
XML:
<rule name="Deny empty accept headers" stopProcessing="true">
    <match url=".*" />
    <conditions>
        <add input="{HTTP_ACCEPT}" pattern="^$" />
    </conditions>
    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You did not present an Accept header which is required for this site." />
</rule>

After removing that rule, everything works as expected.

Do you think passing an accept header in one of the next XF versions would be a reasonable suggestion?
 
Top