helllp

DoobyWho

With the upcoming release of my new software FileTrack, I have one bug left to iron out. It's a big security problem.

When you upload a file into an account and project (subfolder in the account), it goes to FILETRACK/admin/files/account/project/ . I stuck an .htaccess in /files/ with Options -Indexes contents in order to disable directory contents viewing. However, if a person has the URL of a file which has been uploaded, they can type in the URL and download it with no restrictions. Additionally, create a link on an HTML page and 'save as'.

I need to be able to restrict this type of access, but allow my PHP software to be able to view it using links. Authorization is using a user/pass form and sessions for the vars.

Few notes:

Customer installs on his / her on server
it needs to be viewable via the broswer, so long as the person has logged in to the respectable account. And only denied if they're not logged into that account.
basically there needs to be a way for people to access it from the domain the script is installed on , but not from any other domain.
Basically what happens is, they are presented with a list of files they can download. But the links link to a direct link to the file, and not a php page including the file.
Need a solution for both apache / linux / windows/ iis servers. May it be seperate solutions, different versions they have to install depending on their server, or one solution that works for all.
I know about the apache auth , but I dont really think that solution would work. We want maximum usability. We don't want them to have to do much server config, if any, to install the software, and we dont want them to have to type in a user/pass when they click on a file. Once they login to their account, they should be able to access THEIR files, and no way to access others. Not by a link they create, or by a direct link.

Keep in mind, we have NO IDEA what type of files they will be uploading. So we can't just "include" the files in a php page after they are authed. Files could be pictures, programs, anything really.

Thanks in advance.

Mce

Something I've noticed alot of download sites doing is they have a download page that works for any file.
you just make a "generic" page that gets told what file to download via your link page

and use header()...

$path = 'pathtofiles';
$filewithpath = $path . $filename;
header("Content-Type=application/octet-stream");
header("Content-Disposition: attachment;filename=".$filename);
$fh = fopen($filewithpath,"r")
while (!feof($fh)) {
        $buff = fread($fh, 4096);
        echo $buff;
    }

fclose ($fh);

This way they never even know what directories the files are actually stored in. The application/octet-stream forces it to pop a download dialog regardless of actual mime type encoded in the file itself (it's only a browser cue as to the appropriate action)

-Mce

DoobyWho

Thought about that. One thing. They can't just click on the link and it automatically opens up the file. Say its a .gif . They should be able to click on the link and it opens up the file. HOWEVER, if they want to download it, they can rightclick on the link and download it. but this way seems to only work for them to download it or click on the 'open' button of the download dialog.

For clarification, we need to be able to view the files regularly, because if someone uploads an HTML page and respective images, etc, the account holder needs to be able to view that document. If they download it, the relative files will be lost.

jayant

Try seeing documentation of HTTP-Authentication of Apache. You can achieve this using PHP also. seach for "HTTP-Authentication PHP"

DoobyWho

Cant use that for two reasons:

1) wont work if the server is IIS, and it needs to be compatible with both IIS and apache. (windows and linux)

2) they already log in to their account, we dont want them to have to type in another u/p to view the files.