Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hello!
I have a serious security issue. Suppose my site URL is http://www.abc.com
Now I have a secure admin panel folder xyz in it and ant this folder contains a subfolder where I storing the uploaded .pdf files and only after providing a valid username & password one can download these pdfs.
But if user types the direct URL in browser http://www.abc.com/xyz/pdfFolder/filename.pdf
Then he easily access that pdf without any authentication.
And also Google fetch that path and shows pdf files directly.
Please help me. I had searched a lot on it but don’t find any solution.
Everywhere I found .htaccess file as a solution but if I do that then I wont b able to download that file even after authentication, it says a corrupted pdf file.
Its Really very urgent!
Thanks for any help in advance.
right now i m not using any .htaccess file.
i want to know how do i protect direct access to my URL.
but the same must be accessible if someone try to access it after authentication
One way would be to use a .htaccess file to redirect all requests to your pdf directory to a php file.
This file would then handle the authentication, and if authenticated, set the correct haeders and send off the pdf file. This way you can keep the authentication to your application instead of a .htpasswd file.
<?php
// Do some authentication checking....
// exit script if not authenticated or continu script.
// Get the filename.
$file = $_GET['url'];
// Set the path on your server to your file.
$pathToFile = 'your/path/to/file/'.$file;
// Open the file in a binary mode.
$file = fopen($pathToFile, 'r');
// Send the right headers.
header("Content-Type: application/pdf");
header("Content-Length: " . filesize($pathToFile));
// Dump the file and stop the script
fpassthru($file);
Last edited by Oxidiser on Wed Feb 18, 2009 5:40 am, edited 2 times in total.
Oxidiser's approach above is also possible, but slightly different. It does the authentication (access protection) in php, rather than .htaccess. It just uses .htaccess to make sure the file is always downloaded through the protective php script.
Be aware though that this approach may be more vulnerable to security mistakes. For example, what happens if someone tries to download http://yoursite.com/pdf/../downloadpdf.php to get a peek inside your security measures?
Last edited by Apollo on Wed Feb 18, 2009 5:45 am, edited 2 times in total.
[quote="Oxidiser"]One way would be to use a .htaccess file to redirect all requests to your pdf directory to a php file.
This file would then handle the authentication, and if authenticated, set the correct haeders and send off the pdf file.
That line essentially puts the initial request url into an url parameter in the request superglobal of the php script, so you can use it in your script to see which file was requested.
And yes, you should cover all your bases in the security check. Lock it to your pdf directory so no one can request other files than the pdf's for example.
Oxidiser's approach above is also possible, but slightly different. It does the authentication (access protection) in php, rather than .htaccess. It just uses .htaccess to make sure the file is always downloaded through the protective php script.
Be aware though that this approach may be more vulnerable to security mistakes. For example, what happens if someone tries to download http://yoursite.com/pdf/../downloadpdf.php to get a peek inside your security measures?
if use this kind of password protection than how i users from which r registering from my site are able to access that pdf?
If you protect the download script so that only admins are allowed to download files, then obviously no one else can traverse through your directories like that than admins. Still, you should fix that hole.
<br />
<b>Warning</b>: filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at
<br />
<b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in <b> on line <b>46</b><br />
<br />
<b>Warning</b>: filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at
<br />
<b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in <b> on line <b>46</b><br />
You do not put download.php outside the document root, you put the files outside the document root.
Your script is unable to locate the file, it seems.