htaccess file to restrict files being opened
Moderator: General Moderators
-
davidhopkins
- Forum Commoner
- Posts: 41
- Joined: Thu Jun 10, 2010 7:52 am
htaccess file to restrict files being opened
Hello all.
I am having troubles getting my head around htaccess files and restricing certain actions. Basicaly i have created a website for a friend, where users are allowed to upload their CV's. THe problem is currently anyone is able to view these CV's by guessing as to what one is called and typing http://www.thewebsite.com/upload/cv.doc into their addres bar.
I've been reading about Htaccess files and am sure i should be able to restrict this somehow but am unsure how.
Basically i need a way to stop people accessing any files in the /upload folder unless you have clicked a link on the http://www.thewebsite.com website
So, if you try to access a CV by typing the URL directly into the address bar you should be restricted, but if you log into the website and click on a normal HTML link that is displayed on the website you should be granted permission to view it.
Is this possible at all ?
Many thanks
David !
I am having troubles getting my head around htaccess files and restricing certain actions. Basicaly i have created a website for a friend, where users are allowed to upload their CV's. THe problem is currently anyone is able to view these CV's by guessing as to what one is called and typing http://www.thewebsite.com/upload/cv.doc into their addres bar.
I've been reading about Htaccess files and am sure i should be able to restrict this somehow but am unsure how.
Basically i need a way to stop people accessing any files in the /upload folder unless you have clicked a link on the http://www.thewebsite.com website
So, if you try to access a CV by typing the URL directly into the address bar you should be restricted, but if you log into the website and click on a normal HTML link that is displayed on the website you should be granted permission to view it.
Is this possible at all ?
Many thanks
David !
Re: htaccess file to restrict files being opened
One way to achieve the desired result is to store the uploaded documents outside the part of the filesystem which is accessible through the web server. Then for logged in users to access documents, create a script which verifies that the user is logged in, before returning the desired document. Use URL arguments to identify which document the user want to access, e.g. /view?doc=100. Use something like PHP's readfile() to return the selected document.
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: htaccess file to restrict files being opened
Try to place uploaded file outside webroot for safety. If i'm not wrong you want to restrict access from user who directly type in address bar, right ?
Ohkay, when user clicks on any link on page, $_SERVER['HTTP_REFERER'] ( in php ) store from what page did the request came. And when use directly types into address bar this $_SERVER['HTTP_REFERER'] is empty. So you can redirect user if this value is empty. This can be done easily with htaccess.
put this htaccess file in your "upload" folder only.
i used same logic once.
Ohkay, when user clicks on any link on page, $_SERVER['HTTP_REFERER'] ( in php ) store from what page did the request came. And when use directly types into address bar this $_SERVER['HTTP_REFERER'] is empty. So you can redirect user if this value is empty. This can be done easily with htaccess.
Code: Select all
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} ^$
RewriteRule ^(.*)$ http://localhost/error.php [r=404,nc]
i used same logic once.
Re: htaccess file to restrict files being opened
While generally this is correct, from a programming standpoint when you are using that value to check things, it is important to realize that was is set into $_SERVER['HTTP_REFERRER'] is completely up to the VISITOR of your page. This value is set by the browser they are using. This can either be removed (by browser, or by Anti-virus settings, Norton AV used to block it by default, or ALTERED by plugins. ie. I have a plugin that even if I directly type in a URL, it will set the referrer to be the home page for the domain.phazorRise wrote:when user clicks on any link on page, $_SERVER['HTTP_REFERER'] ( in php ) store from what page did the request came. And when use directly types into address bar this $_SERVER['HTTP_REFERER'] is empty.
So this value qualifies as one of those that from a security standpoint, should never automatically trust to be valid for what you are expecting (kinda like handling cookie/get/post values)
Agreed though that the way would be to put the files in a directory out of the webroot and then use some sort of pass through script to feed it to them. Be sure to test this on multiple browsers for different file types to make sure the browsers handle them as expected. (headers can get fun, works on one browser, but not on another
-Greg
-
davidhopkins
- Forum Commoner
- Posts: 41
- Joined: Thu Jun 10, 2010 7:52 am
Re: htaccess file to restrict files being opened
Thanks for your replies all.
I have been trying to follow the method of having the files stored in a directory that is not accessible to the public and then use PHP to read the file if they have permission.
So far i have been trying the reading the file part of the process and have a slight problem.
Using the following code all i can manage to do is print the file to the screen. What i really want is to allow the user to download the file or open the actual file such as the image below shows.

The code i am using is
Thanks again
David
I have been trying to follow the method of having the files stored in a directory that is not accessible to the public and then use PHP to read the file if they have permission.
So far i have been trying the reading the file part of the process and have a slight problem.
Using the following code all i can manage to do is print the file to the screen. What i really want is to allow the user to download the file or open the actual file such as the image below shows.

The code i am using is
Code: Select all
<?PHP
$file_handle = fopen("/noaccess/testfile.txt", "r");
while (!feof($file_handle)) {
$line_of_text = fgets($file_handle);
print $line_of_text . "<BR>";
}
fclose($file_handle);
?>David
Re: htaccess file to restrict files being opened
Try the following code. You will need to put in your own logic to get the actual filename, but the $file_path should be hard coded in.
Code: Select all
<?php
$file_name = 'whatever.doc';
$file_path = '/home/testuser/uploads/';
$file_extension = strtolower(substr(strrchr($file_name,"."),1));
switch ($file_extension) {
case "pdf":
$ctype="application/pdf"; break;
case "exe":
$ctype="application/octet-stream"; break;
case "zip":
$ctype="application/zip"; break;
case "doc":
$ctype="application/msword"; break;
case "xls":
$ctype="application/vnd.ms-excel"; break;
case "ppt":
$ctype="application/vnd.ms-powerpoint"; break;
case "gif":
$ctype="image/gif"; break;
case "png":
$ctype="image/png"; break;
case "jpe":
case "jpeg":
case "jpg":
$ctype="image/jpg"; break;
default:
$ctype="application/force-download";
}
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=\"".basename($file_name)."\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($file_path.$file_name));
@readfile($file_path.$file_name) or die("File not found.");
// END-OF-FILE: downloader.php- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: htaccess file to restrict files being opened
Why they do it anyway ?This can either be removed (by browser, or by Anti-virus settings, Norton AV used to block it by default, or ALTERED by plugins.
then what is your answer to this thread ?
Re: htaccess file to restrict files being opened
1. force them to have a user and log into your site before accessing the file.
2. To depend on NOTHING from the user (no cookies, referrers, etc) Pass the above script a key that identifies the visit. Take things like the timestamp and their IP (I would go only first 2 or three parts, not all 4 since in case they are getting from a proxy that may have different IP's) and turn it into a a string that can be undone by the above script to make sure the current request is valid (ie. within 30 minutes of timestamp embedding in link and that their IP is in same range) before feeding the file. There are many ways to hide it, but you should do it that someone just looking at the URL doesn't recognize it (ex. download.php?file=whatever.doc×tamp=12312323$ip=123.344.432 , pretty darn obvious) In general, I would convert TS and IP sections over to a hex (dechex()) and then shuffle that string around based upon certain thing that are set (ie. IP address), and then off another set item, add random characters to the string in a way can get it back. Not 100% unhackable, but plenty enough that the regular person looking to directly link, they are probably not going to find it worth their time to figure it out.
2. To depend on NOTHING from the user (no cookies, referrers, etc) Pass the above script a key that identifies the visit. Take things like the timestamp and their IP (I would go only first 2 or three parts, not all 4 since in case they are getting from a proxy that may have different IP's) and turn it into a a string that can be undone by the above script to make sure the current request is valid (ie. within 30 minutes of timestamp embedding in link and that their IP is in same range) before feeding the file. There are many ways to hide it, but you should do it that someone just looking at the URL doesn't recognize it (ex. download.php?file=whatever.doc×tamp=12312323$ip=123.344.432 , pretty darn obvious) In general, I would convert TS and IP sections over to a hex (dechex()) and then shuffle that string around based upon certain thing that are set (ie. IP address), and then off another set item, add random characters to the string in a way can get it back. Not 100% unhackable, but plenty enough that the regular person looking to directly link, they are probably not going to find it worth their time to figure it out.