Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 306
  • Last Modified:

Protecting Files with Coldfusion & force downloads

There seems to be alot of information but no solid steps to this.
I have traffic coming in and being directed towards a central flash file. This flash file is a big resource with a lot of linked material. The flash file and every .cfm file is protected by code in the header and application pages. This leaves direct links to the files exposed.

My need is two fold and I believe they can both help each other.
1) If no one knows the name of the file.. they goto download the link.. I would like to hide the file location and force a save as dialog box
2) If someone should guess the path to the file and type it in directly - how to prevent those requests.

I had started playing around with forcing everyone to a FileDownload.cfm which is does some hiding and protected by the application code - but it still leaves files wide open.. I have something like so...
<cfset docN = URL.docN>
                  <cfset docD = URL.docD>
                  <cfcontent type="application/x-unknown">
                  <cfheader name="Content-Disposition" value="attachment;filename=#docN#">
                  <cfheader name="Content-Description" value="Resource file.">
                  <cflocation url="/#docD#/#docN#">

Any ideas?
0
jjayzin
Asked:
jjayzin
  • 3
  • 3
1 Solution
 
dgrafxCommented:
1) If no one knows the name of the file.. they goto download the link.. I would like to hide the file location and force a save as dialog box

Lets use an example folder named "downloads". This is where your downloadable files are.
This is just an example. cfdirectory outputs files in that directory - you can use a different query to give list of files.

<cfdirectory action="list" directory="C:\Inetpub\wwwroot\downloads" name="files">
<cfoutput query="files">
     <a href="yoursite.com/getfile.cfm?filename=#name#">#name#</a><br>
</cfoutput>

Then here is the new file getfile.cfm :
<cfheader name="content-disposition" value="inline; filename=#filename#">                        
<cfcontent type="application/unknown" file="C:\Inetpub\wwwroot\downloads\#filename#" deletefile="no">

         
2) If someone should guess the path to the file and type it in directly - how to prevent those requests.

You should put your folder outside of your website.
Like C:\Inetpub\downloads (you'd then need to change your directory path in code above)
This will prevent anyone from accessing via a browser.
Also by opening windows explorer and right clicking on [downloads] and
selecting properties and checking the hidden checkbox - click ok
This will disallow users who can guess the path from getting the files by entering
the path into their browser.
You'd only need do this if downloads folder is within website - like if you can't move it outside webroot.
0
 
jjayzinAuthor Commented:
That's a great suggestion. I'm going to work through it now and see if I'm successful. It does ruin the directory structure I setup  to group content in specific folders.. but perhaps I'll use a variable to change download/ to download/Tutorials or download/Marketing etc.

Any pitfalls to dynamically changing the directory in the list command?

The only thing I am unsure of - or didn't realize is that getfile.cfm can reside anywhere but output a directory outside the website. I had no idea. I'm going to try that now. Thanks!

0
 
jjayzinAuthor Commented:
Okay... I've implemented this and gotten all my vars to pass from flash to my fileDownload.cfm using the header and content above but seem to have a problem...  when I'm opening a PDF - acrobat reader launches - doesn't ask for save or open dialogue box AND opens with a "temp" file name...

Acro20A.tmp....
Now - I pass a directory variable docD and a file name var - docN in any url string. When doing this with a zip file - the open / save as box pops up like most zips do AND the file name is kept in tact.

Any ideas- was the code missing something I was supposed to add or is this going to be a problem with any Microsoft document (xls, ppt, doc) and PDF's ? ( And yes I will be dealing with all those types.

My code is like so...

<cfset docN = URL.docN>
<cfset docD = URL.docD>
<cfheader name="content-disposition" value="inline; filename=#docN#">                        
<cfcontent type="application/unknown" file="e:\Inetpub\USA\downloads\#docD#\#docN#" deletefile="no">


Thanks!
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
dgrafxCommented:
The part of the problem where it launches without asking is because at some point you had unchecked the
"always ask before opening this type of file" - This is a browser setting.
I don't know off hand how to reset to default. Look around your browser.

As for opening with a tmp ext ??? - is the "server" on your local development machine?
0
 
jjayzinAuthor Commented:
the server is not my development machine but I'm developing then loading everything up and testing in the final server environment.

I load in xml into flash - then use flash interface to pass along doc information to my fileDownload.cfm
There was not a break in that process otherwise I would have gotten file not found or a server error.

I modified the code like so and so far it seems to work and correct the file name AND force the open/save as box. ( Which is inteteresting since I've seen contradicting info which forces that  "inline" or "attachment"

My code is now
<cfset docN = URL.docN>
<cfset docD = URL.docD>
<cfif Right(docN, 3) EQ "pdf">
                <cfset apptype = "application/pdf">
<cfelseif Right(docN, 3) EQ "zip">
      <cfset apptype = "application/zip">
<cfelse>
      <cfset apptype = "application/unknown">
</cfif>
<cfheader name="content-disposition" value="attachment; filename=#docN#">                        
 <cfcontent type="#apptype#; name=#docN#"  file="e:\Inetpub\myFolder\downloads\#docD#\#docN#" deletefile="no">


I also assumed which we know is incorrect that the on both the "save" or "open" the window would close because that's how the "open" handles it. Is there another content tag to force the close when a user selects "save" - I didn't see any on Livedocs and that would just round this out - it would be nice and clean.

As for the.tmp - I'm not sure if the new type="" mod or more the value="attachment" or the conditional mime types corrected that ( or if those conditional application types are even necessary)


0
 
dgrafxCommented:
Not that I know of - thats a browser thing also I believe
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now