I have a server that contains a simple php file for downloading images and a folder containing those images.
<?php
$filepath = "myFiles/" . $_POST["file"];
if (file_exists($filepath)) {
$file = fopen($filepath,"r") or die();
echo fread($file,filesize($filepath));
fclose($file);
}
?>
This download.php file as well as the myFiles folder are both located in the www/html/ folder.
I am trying to figure out a way to make it so that my PHP script can access my image files, while keeping the files locked away from regular visitors. My problem is that if I set permissions that the files can't be viewed through the browser, then the PHP script can't access them either. So either both have access or neither does.
Am I on the correct track? How could I make it so that I can download my images using a PHP script while keeping the images otherwise inaccessible?
That won't be something you can handle using the linux file system permissions. You can put back the linux permissions to what they were initially for the files.
Instead, if you have a /home folder, I would recommend putting the original files to hide there. Check with your webhost if you have one.
Otherwise, if you have to put everything in www absolutely, then put the files to hide in a new subfolder, e.g. "hidden-files", and in that folder put a .htaccess file inside to block direct browser access to the files. The .htaccess file can be a one-line file with Deny From All command inside.
This way your files will only be able to be proxied through download.php.
Related
I've tried to look around for some tricks on how I can do this safely, without executing the code.
Does the code get executed if i simply upload it to the file system, then leave it be until someone downloads it?
Or is this a potential threat aswell?
What I am trying to do is making the users able to upload their CV in pdf files. The administrator can then download this pdf file (not being viewed on server, but downloaded).
How should I do this to prevent malicious files from being executed on my server? Also, would it be risky to place this folder OUTSIDE the public_html folder?
There's not a lot of risk to upload .pdf in a folder.
the folder must be in 644 (chmod). and have a index.php with redirect to the index of the website
Inside or outsite the "public_html" .. it's not a problem
when you upload, you can check the extension (.pdf) and type mime:
with finfo_file (http://php.net/manual/en/function.finfo-file.php )
and
with $extension = substr($file, -3);
That depends on how your server is set. If it allows PDF files to be used as executable, or to be opened with particular application/processing script that could be used for malicious actions. Otherwise you have to follow simple instructions such as restriction of file name length and avoiding to perform read operation of that file. As I understand you need only to upload and safe them. I'd keep them in public_html and once uploaded correctly (you checked filesize, extension etc) moved them whenever you like.
I'm having a bit of trouble trying to access the content of .txt files on a remote server that are in an .htaccess protected directory.
What I am trying to do is the following:
Connect to the FTP server via PHP and use ftp_nlist to retrieve a list of all the .txt files in a directory. Up to here, everything works fine.
For each .txt file found, I want to retrieve the contents. There are a number of ways to do this normally which all work fine when there is no .htaccess file protecting the .txt files.
BUT! As soon as I protect the online directory with the .htaccess file, every single method I have tried fails to get the contents of the .txt files. The .htaccess file that is protecting the folder that contains the .txt files has the following (and nothing else):
<Files *.txt>
Order Deny,Allow
Deny from All
</Files>
Obviously, the online PHP website itself can access the contents of the .txt files without any problems, and the .htaccess file itself is doing it's job perfectly (denying direct access to any of the files), but when I'm trying to access the .txt files remotely from my WAMP server, I just can't find a way to bypass the .htaccess protection.
Basically, I want to imitate remotely, from my WAMP server, what my website already does itself locally by using $contents = file($filepath). Surely there must be a way... Can anyone point me in the right direction? Should I be using a different method of protecting the .txt files, or should I be using a specific PHP function to access the contents?
Your question isn't clear.
If you protect a folder or a file with .htaccess you will be still able to download that file with FTP. .htaccess affects only Apache (http requests).
If you want to be able to download those file anyway with http, then you just do a script that outputs its content:
downloader.php:
//> Check if the admin is logged, and check if $_GET['filename'] is allowed
readfile($_GET['filename']);
Then you can request your file with:
http://yoursite/downloader.php?filename=file.txt
Of course be sure to protect the access of this downloader.php
I've been able to upload a file through PHP to a non-hosted directory (directory is not on the website) with read/write permissions for the PHP file (www). How would I download the file from this directory? I've been able to list the contents of the directory, but clicking on the files (made the filenames links) does not work as the computer attempts to download the file from the path on the server. I'm new to PHP, so all help is appreciated. Thanks!
Edit: Before I get down votes for this being a broad question, I just want to know how to access the files in the non-hosted directory and pass them to the user. I already know how to download normal files hosted on the website. Thanks!
You can use a delegating PHP file for file access. I don't know anything about your structure, but if you can write it, you can (presumably) read it back with file_get_contents:
<?php
echo file_get_contents('/the/path/to/the/unhosted/directory/file.ext');
?>
I have a file sort of like this, it's a user database (udb.htm):
user1:pwd1
user2:pwd2
user3:pwd3
something along the lines of that. I would like to secure this file and make it available for PHP via the file_get_contents("udb.htm"); method, but not a browser window. Thanks!
you can:
upload the file in a directory outside the public html directory, but that php has access
block the access to the file using apache .htaccess <Files> or similar
use HTTP Basic Authentication
save your data in an actual database (mysql, mssql, oracle, sqlite)
Put the file outside of the web root. For instance, in the directory that contains public_html. PHP can access it (and any other file on the system), but you can't get to it from the web.
Move the file into a folder still accesible to PHP but not web clients.
What you want to do is put the database below the web path. So for example, if your website is at www.example.com and it points to: /var/www/html
Then you can put your password file into /var/www/password/udb.htm
Then access it from your php script as file_get_contents("../../password/udb.htm")
Your script can access the file, but your web service will not.
This changes the permissions of your file before open, and remove grants when you close the file, be sure about webserver permissions over the file.
<?php
$file = 'udb.htm';
chmod($file, 0600);
$contents = file_get_contents($file);
chmod($file, 0000);
?>
I wrote this VERY simple PHP login system:
<?php
session_start();
$error = '';
if (isset($_POST['username']) && isset($_POST['password']))
{
if ($_POST['username'] == 'user' && $_POST['password'] == 'pass')
{
$_SESSION['client'] = 'ok';
Header ("location: /kit/kit/index.php");
}
else
{
$error = 'Usuario o contraseña incorrectos.';
}
}
?>
Don´t worry about the vulnerability issues, it´s not protecting anything valuable.
In every .php page i add:
<?php
session_start();
if (!isset($_SESSION['client']) || $_SESSION['client'] != 'ok')
{
Header ("location: /kit/index.php");
die();
}
?>
This protects the .php sessions just fine.
The problem is that this doesn´t protect the files.
I mean if go directly to:
something/other/file.zip
it will download it wether you have loged in or not.
I hope the question is clear enough, if not, please ask!
To stop a user from seeing the directory, all you need to do is create an index page in that folder. Ex: index.htm, index.html, default.htm, default.html.
To stop a user from entering the folder (e.g. stop anyone from viewing http://www.yoursite.com/myFolder/), you may need to access some features of your web host. Some hosts allow you to password protect files or folders. You can also create an .htaccess file/folder
An htaccess file is a simple ASCII file, such as you would create through a text editor like NotePad or SimpleText. Many people seem to have some confusion over the naming convention for the file, so let me get that out of the way.
.htaccess is the file extension. It is not file.htaccess or somepage.htaccess, it is simply named .htaccess
Create the file
In order to create the file, open up a text editor and save an empty page as .htaccess (or type in one character, as some editors will not let you save an empty page). Chances are that your editor will append its default file extension to the name (ex: for Notepad it would call the file .htaccess.txt). You need to remove the .txt (or other) file extension in order to get yourself htaccessing--yes, I know that isn't a word, but it sounds keen, don't it? You can do this by right clicking on the file and renaming it by removing anything that doesn't say .htaccess. You can also rename it via telnet or your ftp program, and you should be familiar enough with one of those so as not to need explaining.
htaccess files must be uploaded as ASCII mode, not BINARY. This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later)
JUST INCASE stop users from downloading your file
store all things that are downloadable ourside your document root. which means before the public_html file.
EDIT: updated the section below to show graphical representation of folder structure
how do you access them then?
work
downloadableFiles
downloadables
- memberOnlyFile.zip
- welcomePackage.zip
- memberhshipVideoVideo.mov
photos
- photo1.jpeg
- photo2.jpeg
publi c_html
- index.htm
About
- about.html
- about.gif
LogIn
- login.htm
- loginScreen.htm
- loginFancyButton.gif
Now anything in the public_html folder the world can see through your website.
Anything outside your public_html folder, will not be visible directly to the world through your website by typing the file name into the address bar in their browser. so thats a good thing as we are going to save all our files that we dont want to give access to outside of the public_html folder.
Now say if you want a certain user to be able to download a file, say maybe a logged in user, you can still make the file downloadable by having a link to that file.
If we are at the login Page, to access the loginScreen webpage you just write down the hyperlink like so:
login screen
since that page is on the same folder. now if you want to allow a user to be able to download a file from the downloadable files folder which is outside the public_html folder since it is not in that folder it self youjust reference to it like so:
How would we get to that folder if we are in the login folder as we are viewing the loginScreen.htm page, you go one folder back so we end up being in the public_html folder. then we go another folder back so we are in the work folder.
so it would look like this so far.
../../ which means two folders back.
then to access the memberonlypath.zip we then need to go into the downloadableFiles folder then we need to get into the downloadable files and then we can link it to the file membersOnlyFile.zip which is the file we were lookng for before.
so the full link now becomes
download file
This way the user cannot access the file by simply typing it on the address bar but can download it if you reference it yourself like the above.
Hope this helps
PK
Store all files you don't want downloaded outside the DocumentRoot.
You need .htaccess to deny access to the folder.
Just have a php download script like: this one that will get the file below the public_html folder.
"Static" files are served by the webserver, not PHP, so authentication is handled differently. There are two easy ways around this:
Handle all authentication in the webserver, e.g. with HTTP basic/digest authentication. Apache 2.2 has a helpful introduction.
Serve the files with PHP, e.g. with foo.php/path/to/file if you have "pathinfo" enabled (according to the PHP docs you set AcceptPathInfo=ON in the server config somewhere) or foo.php?path=path/to/file, which is pretty terrible, but oh well.
There is a more enterprisey solution:
Write an authentication module for your download server which understands authentication cookies from the other site. Many big sites do this (adcdownload.apple.com comes to mind), partly so they can stick the downloads on a CDN but still have some sort of access control.
There is a lazy workaround:
Stick everything in an "unguessable" directory name (e.g. some random base64 chars). Make sure you can't list the parent directory (the easiest way is to create an empty "index.html" file).