I wrote a custom module, which logs errors to an external text file. The files are kept in
/sites/all/modules/custom/my_module/logging/
The problem is, if the user know the name of the file, they can go directly to it. For example, if they go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/
The will get a forbidden error. But, if they know the name of the document and go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/myFile.txt
the full file is rendered to the browser. Is there a way to prevent this? Ideally, I would like to show the files to certain users but at the very least prevent it all together.
thanks jason
very simple method...
Put a .htaccess file in the logging folder and inside that put
deny from all
It looks like you have somewhere options -indexes, this will prevent a client viewing a folder that does not have an index file
Related
My page in wordpress have a button like "Go to the next".
I am trying to get my php file run by clicking the button.
<form action="https://"domain name".com/hoge.php" method="POST"></form>
The php file is successfully run if I locate the php file in the domain.
(like, https://"domain name".com/hoge.php)
However, the php file can not be run if I locate the file in the themes folder, and the response is 404 not found.
(like, https://"domain name".com/public_html/wp-content/themes/hoge.php)
So I have 2 questions.
Why the php file can not be accessed if I locate the file in the themes folder?
Talking about security, is it safe to locate my php file in the domain directly?
(like, https://"domain name".com/hoge.php)
wp-content implies this is a WordPress Site.
Wordpress changes the .htaccess to prevent exactly this. The htaccess will not let you access the sub php files directly.
Answer for question 1:
There has a lot factor affecting to located your file. It might involved to the RewriteRule for .htaccess configuration, your platform configuration or just you create file at wrong location or wrong name
Answer for question 2:
Yes, it is unsafe, because it can be access by anyone else. So you need to perform some authenticate checking before execute the written code, for example use SESSION to check the user is already logged in before execute your code.
Your way of handling FORM is perfectly ok, while developing in core PHP. But, WordPress has its own handling FORM. YOu can check out this blog on how to handle the FORM in WordPress way.
I am working on a already existing intranet. I have build an application and would like to take care of the 404 errors.
The problem I have is that this error management should only have effects on the pages located below the folder I'm working on.
Explications:
My file explorer looks like this:
root
aFolder
anotherFolder
RootOfMyApplication
myPages
I want to redirect all 404 errors below RootOfMyApplication to a specific page using PHP.
For example, browsing to "..../anotherFolder/RootOfMyApplication/notExist.php " should redirect me to my custom page, but browsing to "..../anotherFolder/notExist.php " should'nt.
If possible, I would like to make it so that directory browsing follow the same rule: if the url links to a folder and is below RootOfMyApplication, I redirect to the page.
The problem comes from the fact that I don't manage the root directory, and if possible want to have no impact on navigation outside my folder.
EDIT
What I want to do is the same as a .htaccess file: when an error is thrown, I want to take care of it myself, with PHP. My question is : "Can I do it, and if yes, how do I do it?". I don't want to use configuration files.
"It's not possible" will be accepted as an answer if there is a good explanation.
The Error Handling of files which are not found is a job of the Webserver (in your case Apache).
PHP can't help you because you always have to request one file which is then executed by PHP.
If you are going to request a file which doesn't exist, it can't be executed and the Webserver has do deal with the error. (PHP won't be started.)
But maybe there is a workaround:
If you use URL-Rewriting on your server/ application, there could be a way, but we would need some more Information/ code.
Can't you create an .htaccess in your root directory and change the error documents for your folder?
Talk to the admin and tell him he should change the error documents for your folder in httpd.conf.
(2./ 3. Maybe not an allowed solution for you, because you don't want do use configurations files.)
I am writing an web application, and within it, for security reasons, I would like my users (admin) change system directories right from the admin panel.
For example, he can change the url www.domain.tld/administrator to something like
www.domain.tld/dir1/dir2/dir3/administrator OR
www.domain.tld/dirx1/diry2/dirz3/administratorxyz/pqr
I know that these can be done by .htaccess easily and it can be done by rewriting the .htaccess file by php file handling codes. But I do not want to change the content of the .htaccess file physically, rather, I am looking for something where the user's choice will be stored in database and it will be fetched by a php code and will be used as the .htaccess code in real time.
Is it possible?
I have a webserver with Apache.
For security reasons my customer wants to access files (.jpg/.pdf/.png/.gif) in another folder.
The root layout is as follows:
backup
data
etc
htdocs
logs
tmp
In the htdocs folder the Joomla website resides. I use flexicode to add PHP code to the site.
Is there a way I can show for example a photo in .jpg from the data folder?
example. /data/werknemers/80111/pasfoto.jpg
There is a little snag. Everybody uses a pin number to log into Joomla. In this case pin 80111.
Pin 80111 is added to the users table, the field is called pin.
Is it possible to use a variable to retrieve the data? So only user 80111 can access his or her folder and not another one?
The photo is shown in a module on the website after login.
Cheers,
Steve
You'll have to write a php script in joomla (for the authorisation), and give apache access to the external folder. Then deliver your files using this script.
I'm not a Joomla user, but my first chance will be to look for some plugin to manage the uploads, I saw some plugins to manage uploads per user doing a quick google search, for example this one.
In the case that no one works for you I think the next option will be try to implement an asset proxy.
Write an script in htdocs to validate the PIN and if it is ok read the file content from the data directory and provide the output from that script.
An rewrite rule to redirect all .jpg/.pdf/.png/.gif request for that proxy will be need.
Be aware to serve the non secure content (theme images for example) as well.
Hope this help
Good day all,
I have a folder called documents in my site root, this is password protected by a .htpasswd file, but it is allowed to be accessed by a script to view.
how would I allow a script to be able to download the file without accessing it directly from the directory?
I'll give an example to explain the situation.
on my home page I display the picture test.jpg, this image is in the documents folder that is protected. The image displays correctly on the home page.
If type in the address bar www.domain.com/documents/test.jpg it does not display or downloads, but asks for a password.(this I want, but don’t want people to type in a password for each file they want to download)
Is there a way that I can make php or JavaScript download the document without ever having to prompt for a password? Other words bypass the .htaccess rule?
thanx in advance
I've retagged adding PHP and Javascript. There is nothing stopping you writing a remapper PHP script which is outside the documents folder and therefore accessible without Apache authentication. This could issue a readfile() to send the file (see the document example and user contributions for a more detailed explanation. Since this is a server-side script, it will have direct access to the protected directory.
Of course you might want to implement some form of access control, say appending a request parameter check which is based on the md5 of the filename plus a shared secret. This would be easy to compute in the calling script. However, once you move such access negotiation to a client-side script you need to accept that this could be retro-engineered and exploited by any experienced hacker.
As a footnote, if you want to allow users to download your images, why are locating them in an access controlled directory. Why not just move them out of this directory?
As Barry said, the .htaccess is processed before any PHP is, so bypassing it is not an option. You will have to either change the .htaccess configuration or write a remapper PHP script.
I suggest changing the .htaccess configuration to allow direct download links but deny directory listing. This will allow people to download direct links such as http://www.example.com/documents/some-file-name.ext without being prompted for a password, but they will have to know the link ahead of time - they won't be able to view the /documents/ folder to see everything in there.
You can do this by commenting out or removing the Auth directives:
#AuthUserFile /path/to/.htpassword
#AuthName "Name"
#AuthType Basic
#Require Valid-User
And adding a directive to block directory listing:
Options -Indexes