Asked  7 Months ago    Answers:  5   Viewed   37 times

I'm loading my files (pdf, doc, flv, etc) into a buffer and serving them to my users with a script. I need my script to be able to access the file but not allow direct access to it. Whats the best way to achieve this? Should I be doing something with my permissions or locking out the directory with .htaccess?

 Answers

46

The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.

However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,

Order deny,allow
Deny from all

Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.

Wednesday, March 31, 2021
 
cusejuice
answered 7 Months ago
45

If you're using jQuery to make the XHR, it will set a custom header X-Requested-With. You can check for that and determine how to serve your response.

$isXhr = isset($_SERVER["HTTP_X_REQUESTED_WITH"])
         AND strotlower($_SERVER["HTTP_X_REQUESTED_WITH"]) == "xmlhttprequest";

However, this is trivial to spoof. In the past, I've used this to decide whether to render a whole page (if not set) or a page fragment (if set, to be injected into current page).

Wednesday, March 31, 2021
 
peixotorms
answered 7 Months ago
48

Remember that in order to reach a file, ALL parent directories must be readable by www-data. You strace output seems to indicate that even accessing /var/log/apache2/writetest is failing. Make sure that www-data has permissions on the following directories:

  • / (r-x)
  • /var (r-x)
  • /var/log (r-x)
  • /var/log/apache2 (r-x)
  • /var/log/apache2/writetest (rwx)
  • /var/log/apache2/writetest/writetest.log (rw-)
Wednesday, March 31, 2021
 
TheCarver
answered 7 Months ago
33

Please follow below steps to achieve:

  1. In the .load function of jquery post a security code.
  2. In the Feed.php page place a PHP condition if the posted security_code params found and match with security_code passed in the .load then only allow to access the page otherwise restrict.

Please follow below changes in your existing code to achieve it.

JS

<?php 
    $_SESSION['security_code'] = randomCode();
?>
<script type="text/javascript">
    $("#dock-left-container").load("feed.php", {
       security_code: '<?= $_SESSION['security_code']; ?>'
   }); // load feed.php into the dock-left-container div
</script>

PHP

Place php condition in the top of feed.php

if(isset($_POST['security_code']) && $_POST['security_code'] == $_SESSION['security_code']){
    //Feed.php page's all the stuff will go here
}else{
    echo "No direct access of this page will be allowed.";
}
Saturday, May 29, 2021
 
astaykov
answered 5 Months ago
97

This was the correct way to do it: (thanks to DaveRandom)

<Directory "C:/SITE/localhost/www">
    Options ExecCGI
    AllowOverride all
    Require all granted
</Directory>

Dave Random explains further:

After a little experimentation with this, I have discovered the nuance that makes this the correct answer, which is specific to Apache 2.3+. It seems that mod_authz_host directives take precedence over mod_access_compat directives, and this bubbles all the way up the directory tree. What this means is that if you are migrating from Apache 2.2 to Apache 2.4 and you use your 2.2 httpd.conf verbatim, it will work.

If, however, you perform a new install of 2.4 and base your config on the default 2.4 httpd.conf, Allow directives won't work, because the default top level section uses a Require all denied directive instead of Deny from all, and this takes precedence over any subsequent Allow directives higher up the tree. The long of the short of this is that if you are migrating your Order/Allow/Deny directives to their equivalent Requires, then you must chance all of them or you will find you get 403s you weren't expecting.

Thursday, August 12, 2021
 
kmunky
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :