Forbidding access to a directory.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's safe from direct access via HTTP requests. That doesn't mean they are completely safe however. Your scripts provide access therefore they need to be secured, your other scripts need a security audit too to determine if they accidentally give access to the files. The last hurdle is server level access. On some shared hosts, scripts are able to access the files of other users.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Wait! I can't access it nor anyone else including my server!

How can I allow my own domain to access the files?! I need the directory and all it's content/media secure, but I still would like the capability to view the media via my web player, only.

Does that make sense?
Last edited by JellyFish on Fri Jun 29, 2007 9:04 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Unless you're using remote requests in PHP, it still has access to the files as it is ignored by Apache.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

feyd wrote:Unless you're using remote requests in PHP, it still has access to the files as it is ignored by Apache.
I don't understand. What is remote requests an PHP?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Example:

Code: Select all

file_get_contents('http://localhost/somepath/somefile.ext');
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

What I'm trying to do is restrict all access to videos in a directory. But I still would like my flash player on my domain to access them. How can I do this? Am I on the right track when it comes to .htaccess?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You can set an Allow rule, and specify in what order they are to be evaluated.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Well, I changed my .htaccess file to:

Code: Select all

Deny from all
Allow from mydomain.com
This still doesn't appear to allow me access through a swf video player. Is the video player considered mydomain.com or is it considered the clients domain/IP?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

That's because the flash video player is being downloaded by the user, and then accesses the files: it's now from their computer, not yours.

As Feyd stated earlier, you'll need to use PHP to pass the files through.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I see. How would I do this then? How do I access the file with a video player?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Have the video player call a PHP file as it were a video. The PHP file will check authentication and then stream the video to the player (using readfile or a chunked fread) if everything is hunky-dory.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Ohhhhhh. Okay, I'll try it and see my results.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Make sure you set the proper headers.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Ambush Commander wrote:Make sure you set the proper headers.
Yeah that was the first thing that came to mind.

So how would I output the stream provided by fopen, or is this the wrong approach?
Last edited by JellyFish on Fri Jun 29, 2007 11:00 pm, edited 1 time in total.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Wait a minute, I don't think I'm doing this right:

Code: Select all

header("Content-type: video/x-flv");
               
$stream = fopen("http://mysite.com/chart-room/videos/".$_GET['filename'], "r");
               
echo fgets($stream); 
Last edited by JellyFish on Fri Jun 29, 2007 11:30 pm, edited 1 time in total.
Post Reply