?
Solved

Deny access to files files, except if the user is coming from a specific page

Posted on 2005-05-08
26
Medium Priority
?
294 Views
Last Modified: 2010-03-04
Hi,

I have alot of files in a directory.
All files is linked from a certain page (one page).

How do I make it so all files can only be accessed from one page alone and not from any other pages (or direct in browser).

I'm currently using the following htaccess, but it dosent work:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://savefile.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://savefile.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]

test url:
http://www.fs01.savefile.com/files/2005/04/18/[www.savefile.com]050418140609_ZantiBar.wmv
0
Comment
Question by:kgp43
  • 13
  • 7
  • 6
26 Comments
 
LVL 27

Expert Comment

by:caterham_www
ID: 13958237
>(or direct in browser).

This is not 100% possible. If you don't permit a blank/empty referer, you'll also block all users, who are unable to submit a referer.
The referer is empfy if
- someone typs tne URL into the location bar
The referer might be empty, too
- if you are behind caching machines (i.e. often at universities)
- if you are using restrictively configured internet security software, which removes the referer (and the user often doesn't know whar a referer is or how to turn off the security software feature.

So, if you remove 'allow empty referer' below, you'll also block allowed users
#######
RewriteEngine On
# you can bring it down to one line:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com [NC]
# allow empty referer
RewriteCond %{HTTP_REFERER} !^$ [NC]
# are there any extensions which shlould be allowed?
RewriteCond %{REQUEST_URI} !^/.+\.(html?|txt)$
RewriteRule ^.+\.[a-zA-Z]{3,4}$ - [F]
#######

-> where did you place the code?
-> is mod_rewrite available? try
####
RewriteEngine On
RewriteRule ^.* http://www.google.com [R,L]
####
you should see google.com for every request
0
 

Author Comment

by:kgp43
ID: 13958335
so it will be more secure to place the files outside the public_html folder?
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 13958460
no, there is no difference between the public_html folder and other folders, because the request from the user is the same: either with or without a referer.

It would be more secure to place the files outside the htdocs, if you use sessions to check if the user comes from a particular site. If the previously set session variable is present, you can open the file from outside the htdocs directory locally with php (fopen), read the content (fread/fgets) and send the buffer content via php to the user...

A more complex way...
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 

Author Comment

by:kgp43
ID: 13958599
im already using a session to check if they came from the correct page.
can you post an example of fopen and fread/fgets to a file placed in /home/username/download?

Will this work:
$filename = "/home/username/download/file.zip";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
header ("Content-Disposition: attachment; filename=\"$contents\"");

have no idea if the above it correct and I cant test if before tomorrow.
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 13958751
$filename = "/home/username/download/file.zip";
header("Content-Type: application/octet-stream");

$save = basename($filename);

$handle = fopen($filename, "rb");
$contents = fread($handle, filesize($filename));

fclose($handle);

header("Content-Disposition: attachment; filename=\"$save\"");
echo $contents;


########### OR ############

$filename = "/home/username/download/file.zip";
header("Content-Type: application/octet-stream");
$save = basename($filename);
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 13976208
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://savefile.com/.*$      [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://savefile.com$      [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com/.*$      [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]

The request can never match all rewrite conditions at once, you have to connect them using or.
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 13976626
this is a logical and here, because the RegEx is prefixed by the exclamation mark (!), which negates the meaning.

... referer is NOT RegEx ^http://savefile.com/.*$  AND is not ^http://savefile.com$ AND is not ^http://www.savefile.com/.*$ etc.

If you remove the exclamation mark (=positive list), you'll need the OR-Flag
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 13977393
true, i missed that
if they only want to check if the users comes from their own domain, this should be enough
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com/ [NC]
\.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 13977405
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com/ [NC]
RewriteRule \.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]
;)
0
 

Author Comment

by:kgp43
ID: 13984434
caterham_www :
Need to change my file/download system before this can be tested.
Will take a few days.


GeG:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@fs01.savefile.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/1.3.33 Server at www.fs01.savefile.com Port 80
0
 

Author Comment

by:kgp43
ID: 13984443
GeG:
I corrected the Internal Server Error, but it still allow me to download the file in the first post.
The user must come from http://www.savfile.com/filehost/

Going to change the filesystem so it fit the other suggestion
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 13985265
try if this works:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www\.savefile\.com/filehost/.* [NC]
RewriteRule .* - [F]
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 13985296
no, this will not let anybody in, let's say all downloads are in www.savefile.com/downloads/:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www\.savefile\.com/filehost/.* [NC]
RewriteRule ^/downloads/.* - [F]

will be better
0
 

Author Comment

by:kgp43
ID: 13993498
still dosent work :P
it let me download the file by clicking the link in the first post, witch shouldnt be allowed.
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 13993732
you have changed 'downloads' to the appropriate value for your system?
0
 

Author Comment

by:kgp43
ID: 13998392
I use  modrewrite aswell
Is it possible to make it work with savefile.com in general (without any folder)?
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 14016546
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com/.* [NC]
RewriteRule ^/files/.* - [F]

0
 

Author Comment

by:kgp43
ID: 14053057
caterham_www:

What do you do when you need to get a file placed on another server then?
Can you connect by FTP and get it that way? If so, how?

I know how to connect to the FTP server, but im not sure how to get the file.
Think I need to use fget, but im not sure how it will work.

//FTP server info
$server_ip = "12.34.567.890";
$server_ftp_username = "user";
$server_ftp_password = "pass";

//Open the FTP connection
$conn_id = ftp_connect($server_ip);
$login_result = ftp_login($conn_id, $server_ftp_username, $server_ftp_password);

//Get the file from fileserver using FTP
fget....?

$filename = "/home/username/download/file.zip";
header("Content-Type: application/octet-stream");
$save = basename($filename);
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 

Author Comment

by:kgp43
ID: 14053490
will FTP load/read the file to the "main one" so the bandwidth will increase for each time a file is loaded from the fileserver? If so, is there another way?
0
 

Author Comment

by:kgp43
ID: 14054869
anyone?
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 14058746
you use ftp_get to download the file first from your FTP-Server into your main server space. Then open the downloaded FTP-file like above from your main server. => caching, check prior downloading the file, if it's already on your main server
ftp_get($conn_id, $local_file_path, $remote_file_path, FTP_BINARY);


or you can write "on the fly" to an open file with ftp_fget()

ftp_fget ( int ftp_stream, int fp, string remote_file, int mode )
0
 

Author Comment

by:kgp43
ID: 14099353
Sorry for the delay, but I had some issues with my server (again).

I tested your code, but I only get the download box with firefox - get tons of odd chars with IE.

Code:
//Download the file
$filename = "/home/fs01/files/2005/05/22/[www.savefile.com]050522213336_For_you.zip";
header("Content-Type: application/octet-stream");
$save = basename($filename);
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 

Author Comment

by:kgp43
ID: 14099366
like this:

b÷ƒ‚C€ô-¨8 (gA9h´<»6Ö¥ÏÒ¶(:|†~æ*ûªÏÁ•ïêÜèl†ù~«÷ûL–ŒÝ€Ò´y‰DUÞ‰Ô¯ÂcÂ%¼–g¨õÒ«[µ`D„¾W½}3Ú{ ÎÝë?F ´8´âCûr?zt`{kt0ÔòÖ6Þo1Ñ/8Ö\ ú_&à-°0=FöÎTÂ~rx4ñSÕ£Ï%Y6¬‚ñ‘Õ·l*)µ—rcB™³j¯¨•5U~Y?\;V:SrlZ”4=3;:6.a¤ŽÖÁú™ÉýH3±×«È¿Å 2Ê‹»óa}Uñš®m_߀F½ŒJ™°‘«áçhzWöBl—ðØ”V1\XÓEŽë"F p¾Œ$gÜØK}bBVÌ;™ï|œÿ±M½M•¨êúÈ÷ ß›·˜[ -må¶7U7+œñX|›´­{J¥R"‘yBB1á*üª“ÀÉOãçÑéá$rjm9züƒð^ñxeÏ•kÊË ù¥T”×ÑjÛ¤ÂÄ„FŸ{­a!ÒG±ò.å*“`œ¤RVP@µç]²·'º¢ŒÙÄd¦¯3÷ˆ°Ð   4íãë{æì¹ÚÚZHüs8œŽŽŽ¡¡¡…E§Ó3æØ××µ ‚$T¢˜Û²G d54…¢ÉŸo'[“ÔdîQ]>ª›qH¬ØNÏ¿ÙHŒ«¯aÔ”frn*\J‰ex¼<Ó ÐKÏ}
0
 

Author Comment

by:kgp43
ID: 14195065
caterham_www: make a "answer" so I can accept you.
0
 
LVL 27

Accepted Solution

by:
caterham_www earned 2000 total points
ID: 14195136
The IE has serveral problems with PHP downloads, try

   if(isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/MSIE/", $_SERVER['HTTP_USER_AGENT'])) {
       // IE Bug in download name workaround
       ini_set( 'zlib.output_compression','Off' );
   }


$filename = "/home/fs01/files/2005/05/22/[www.savefile.com]050522213336_For_you.zip";
$save = basename($filename);

header("Content-Type: application/octet-stream");
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 

Author Comment

by:kgp43
ID: 14216652
that worked :)
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month16 days, 15 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question