Forbidding access to a directory.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

What are root rights, and what is the Unix password file?
http://en.wikipedia.org/wiki/Superuser
http://en.wikipedia.org/wiki/Passwd
What is "Cracking the shell passwords"?
http://www.crypticide.com/alecm/security/c50a.txt
Break out of which directory
The one with your movie files.
what's an arbitrary file on my server?
Anything that's on the server. Your PHP scripts, your configuration files, your user data, etc. :-P
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

So basically, I don't want people passing a path to my script that would have my script return any information I don't want them to get.

So how would I fix this? You say to use the basename function?

I could just make sure that the file path that is passed to my script be one with the MIME type of "video/x-flv". But I don't know how to do this.

Another method would be to check if the basename's suffix is that of ".flv".

Which would you suggest?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I would do several checks:

1. basename() to make sure that the directory path is in the proper place
2. File extension check to make sure the requested file is valid
3. file_exists() check to make sure the file being requested exists
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

How would I check the file extension?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

pathinfo()

Or regex.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Code: Select all

		header("Content-type: video/x-flv");
		
		$path_parts = pathinfo($_GET['filename']);
		
		if ($path_parts['extension'] == "flv")
		{			
			$stream = fopen("/home/content/t/r/a/tradingtresure/html/".$_GET['filename'], "rb");
		}
		else
		{
			$stream = fopen("/home/content/t/r/a/tradingtresure/html/manager/chart-room/videos/error.flv", "rb");
		}
		
		fpassthru($stream);
Is this good?

I don't want to check for the directory because my directories variable that I use.

Is what I have secure?

Other then that I'm having a problem with this method (using a video.php file instead of an .flv file) and that is, it acts funny, for example when the position of the video meets the loaded duration, the movie starts over. Is this because I'm using fpassthru rather then some other function(s)?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Not even remotely.

Check realpath() against the folder root of your storage directory. Make sure the file they are requesting exists, too.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

What kind of file is this called, that I'm making?
Last edited by JellyFish on Wed Jul 04, 2007 2:25 pm, edited 2 times in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's the same type of file that goes along with file download interfaces.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

What should I use in place of fpassthru? My video.php file doesn't act like the .flv that it's posing to be.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

fpassthru() is just fine, it's bound to be something else, likely headers related.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

feyd wrote:fpassthru() is just fine, it's bound to be something else, likely headers related.
I only have set the content-type header. Which other one is necessary?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That's something you'll need to research as I don't work with Flash video files.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I see. I'm a bit stumped on what my research terms are; php video output, php video. Any suggestions?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's probably more along the lines of what Flash is expecting and what the browsers are expecting and less about PHP.
Post Reply