cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

BUG - Direct link to files created via /media API call return a corrupt URL!

Labels:

BUG - Direct link to files created via /media API call return a corrupt URL!

De L.1
Collaborator | Level 9
‎06-29-2015 04:41 PM

I noticed that direct links generated via the /media API are currently returning a corrupt URL. Not all file formats seem to be affected, but I can reproduce the issue for PDF and Office files.
According to the documentation, the returned JSON should look like this:

{
    "url": "https://dl.dropboxusercontent.com/1/view/abcdefghijk/example",
    "expires": "Fri, 16 Sep 2011 01:01:25 +0000"
}

However, currently the following JSON is returned:

{
    "url": "https://api-content.dropbox.com/1/files/auto/abcdefghijk/example.pdf?signature=1.uJpbEgcWOjAIBQ..1435610003.qbYUOzANtu_33g6uv6dJy0JcV9tjp-oF8nQCci_h2Mg",
    "expires": "Fri, 16 Sep 2011 01:01:25 +0000"
}

The url however is invalid and give the following error:

{"error": "Signature did not match. STRING_TO_SIGN was u'1\\nuJpbEgcWOjAIBQ\\n\\n1435610160\\napi-content.dropbox.com\\nGET\\n/1/files/auto/abcdefghijk/example.pdf'"}

Has something changed in the API or is it a (quite severe) bug. If the /media call has changed, where can I find more information about this?

Labels:
  • 1 Likes
  • 11 Replies
  • 2,122 Views
11 Replies 11

Rich
Super User II
‎06-29-2015 04:55 PM

Moved to API forum.

Greg-DB
Dropbox Staff
‎06-29-2015 05:40 PM

Thanks for the report. We're looking into it.

0 Likes

Greg-DB
Dropbox Staff
‎06-29-2015 06:00 PM

We've disabled this change for the time being. To help us investigate, can you copy an actual sample of where/how you tried to access the returned URL? Can you check if an extra ' or %27 was added at the end? (I encountered the same issue where my terminal included the ' from the end of the quoted string in the JSON when opening the URL in my browser, for example.)

0 Likes

De L.1
Collaborator | Level 9
‎06-29-2015 06:51 PM

Thanks for your quick reply! Unfortunately I don't have the actual JSON response anymore, the only link I still could find is the following:

https://api-content.dropbox.com/1/files/auto/Test%20Out-of-the-Box/%C3%89tonne%C3%AEz.docx?signature... (which just works now...)

Which I received by calling createTemporaryDirectLink($file) in Client.php (PHP SDK 1.1.5) call. There seems to be no extra ' or %27 in the URL.
I am not sure if this is the information where you are looking for, if not just let me know.

0 Likes

Greg-DB
Dropbox Staff
‎06-29-2015 07:47 PM

Thanks! It sounds pretty likely you ran in to the same (or a similar) issue then, since the link you have works.

How exactly were you testing it though? E.g., were you manually copying and pasting it into your browser or something, or did you click it from your terminal?

0 Likes

De L.1
Collaborator | Level 9
‎06-29-2015 08:18 PM

My app just does the API call and redirects the user to the URL from the JSON response. Noting fancy actually...

However, I also noticed that it isn't possible to the ?raw=1 or ?dl=1 (render a file or force a Save as) parameter in those new URLs via the old /media URLs. Is that true?

0 Likes

Greg-DB
Dropbox Staff
‎06-29-2015 08:36 PM

For the most part, the dl and raw parameters aren't meant for the /view links to begin with, since the /view links already return the content directly. Those parameters are really meant for www.dropbox.com/s/ which go to a preview page by default. I think the only difference is the Content-Disposition header, which isn't currently configurable with the new format. Is that behavior relevant in your app?

Ok, since the change we've enabled/disabled didn't affect the returned links themselves, just whether or not you get the new format, and since your link itself does work, it sounds like it was just something like what I described. That being the case, we're re-enabling this for your account. Please give it another try and let me know if you can reproduce it and how you do so. Thanks in advance!

0 Likes

De L.1
Collaborator | Level 9
‎06-29-2015 09:18 PM

Thanks for your answer. It's a little bit late here, so I think I mixed things up... The issue was indeed caused by the addition of ?raw=1 to the new URL...

However, I am still having issues. The following link doesn't do anything for me in Chrome(43) and IE(11):

https://api-content.dropbox.com/1/files/auto/Test%20Out-of-the-Box/Getting%20Started.pdf?signature=1.uJpbEgcWOjAIBQ..1435625123.JlvQfjBKXW-mc41a4Xfp9pGYfOwqptbQtPjQB-jvayA

If I look into the Chrome Console, I get the following errors:

1) [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "default-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-1kQs8h_ra9YlH-s6eZbKdSD_cn6Ljcz2Rv60pJnk_eY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
2) Error in event handler for runtime.onMessage: SecurityError: Failed to read the 'cookie' property from 'Document': The document is sandboxed and lacks the 'allow-same-origin' flag.

Besides that, it indeed creates an issue for me. My app wants to download (for example) files via a Save As dialog directly via a short lived url. Until now, I called /media to receive a temporarily link to the file in the form of 

https://dl.dropboxusercontent.com/1/view/e9bvl1qlepzw8vd/Example%20Out-of-the-Box/__TESTFILE__.txt

I could change that into 

https://www.dropbox.com/s/e9bvl1qlepzw8vd/Example%20Out-of-the-Box/__TESTFILE__.txt?dl=1

to force a save as dialog.

However, with the new URL that isn't possible anymore. It is possible that I used the API in the wrong way in the past, but how should I do it properly?

0 Likes

Greg-DB
Dropbox Staff
‎06-29-2015 09:55 PM

Thanks! Just adding ?raw=1 would do the same thing in the new format, since it already has parameters added with a ?. You should instead parse the URL in order to add a parameter.

Anyway, thanks for the new details. We're disabling this for you now and will investigate potential solutions.

Also, the links from /media weren't really meant for use in the browser. If you want /s links anyway though, you can use /shares instead, and those links respect the raw and dl parameters. Those aren't short-lived though. It sounds like what you ideally want is a way for the user of a web app to be able to download a file from the Dropbox account directly in their browser, without having to pass the data through the app's server. That's not really something the API currently solves well, but we'll consider that a request.

0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    De L.1 Collaborator | Level 9
What do Dropbox user levels mean?