• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 880
  • Last Modified:

Using PHP to control file access in Apache

Hi Experts,

I was wondering if anyone has devised a way to use PHP to control the access of web accessible files in Apache?  Is this even possible?  I was thinking that htaccess would have to be used and PHP passes the arguments to it. Though from what I've read this looks pretty impossible to do without giving away the security information.  Or am I looking at using PHP to manage an offline section of the server and pass all file downloads through a wrapper script?

Just looking for your insights into this problem.

Thanks,
Pete Hanson
UAR
0
upandrun3
Asked:
upandrun3
  • 4
  • 3
  • 3
2 Solutions
 
The_Blasted_OneCommented:
htaccess is a method (if we're on partial, password-based access restriction, there will be htaccess+htpasswd). One of the methods.

- You can restrict the access by editing htaccess/htpasswd directly, by your hand.
- You can edit htaccess/htpasswd with your php script (I see here no penalty to your security, if your script has no vulnerabilities that can give hacker a way to access your htaccess/htpasswd)
- You can manage all the access with your script (yes, wrapping the downloads with php). But make sure you've restricted the access to the directory where files are stored with htaccess.
- Or you can place that directory above the website root directory, so it can be accessed with local php wrapper script and cannot be accessed from the web.
0
 
m1tk4Commented:
Not quite sure what "impossible without giving away the security information" means - there are tons of online resource storage applications written in PHP that secure access to files.

A couple of ways I see it done is:

1. Use mod_rewrite in Apache to pass all requests for files in a specific directory to a PHP script that would perform authentication, then send the requested file using fpassthru() - simple to set up however if your files are very diverse in types you'll have to create the content-type headers yourself and you'll need to take care of all possible MIME-types.

2. Let PHP control .htaccess / mod_auth - doable, but kind of horse behind the carriage solution ;)

3. Use something like mod_auth_pgsql or mod_auth_mysql and control the user databases from PHP - logically very much like #2 but a bit more secure.
0
 
upandrun3Author Commented:
Thanks for you comments.

m1tk4, do you have any references your first idea? That sounds more like what I may want to do.

Our system already has a rich tool set to manage files in webspace (CMS system).  Ideally I could set up "protected" folders where files could go that would then pass through some form of PHP authentication. mod_rewrite may be the answer there.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
m1tk4Commented:
mod_rewrite: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

Your Apache config would be something like:

RewriteEngine on
RewriteRule ^/filestore/protectedfiles/(.*)$ /passthruapplication.php?filerequested=$1 [last]

This way, say, a request for a file at http://yourserver.com/filestore/protectedfiles/somefile.zip will actually call
/passthroughapplication.php passing "somefile.zip" as the value of "filerequeted" GET parameter.

See http://us.php.net/fpassthru for fpassthru(), you can actually use echo(file_get_contents(filename)); as well.

For descriptions of various solutions of MIME-type problems and other info on using PHP to serve content other than HTML, see _comments_ to http://us.php.net/manual/en/function.header.php - search for MIME and you'll find a few usable examples.
0
 
upandrun3Author Commented:
m1tk4, thanks the links.  I'm guessing then I'd have to use .htaccess files to protect the folder then for normal access, correct? Would that have an impact on the mod_rewrite?   I should have some time to test this solution out today.
0
 
The_Blasted_OneCommented:
Apache's mod_rewrite is controlled with .htaccess directives (RewriteEngine, RewriteRule), you're writing them within .htaccess.
Is this the thing you wanted to know?
0
 
m1tk4Commented:
Any authentication you would do for those folders would go on top of your PHP application. What you could do is move your file storage outside the web root altogether - for mod_rewrite purposes /filestore/protectedfiles does not have to exist at all.
0
 
upandrun3Author Commented:
The mod_rewrite solution worked great.  How secure is this set up? Do I need to worry about tricks to get around the rewrite rule?  Any other precautions I should take?
0
 
The_Blasted_OneCommented:
The mod_rewrite is secure enough, as Apache is. Your one is plain and simple, it has no vulnerabilities itself.
About precautions. As always - strong variable validation. Mod_rewrite gives no additional danger.

Your "filerequested" variable could be the source of your troubles.
You need to prevent the possibilities of requests like "passthruapplication.php?filerequested=../index.php"
Validate the variable with regular expressions. Validate strictly. Reject all ".." requests, for example. If you know that there's no subdirs, then reject all requests with "/". If you know all of your files contain only a-z, 0-9, _ - and extension - restrict the variable to this content. And so on.
Also, current rewrite could provide unwanted variables to your script. Request like "http://yourserver.com/filestore/protectedfiles/some.mp3&file=.htaccess" could harm your $file variable, if it is used in script and wasn't set to "". Make sure you have register_globals php directive turned off and get all the outside variables with $_GET or $_REQUEST.

This validation can entirely be done in .htaccess with mod_rewrite's features, but it is your choice to do it with mod_rewrite or with php. But note that incorrect .htaccess can stop your site from working, so edit it carefully.
0
 
upandrun3Author Commented:
Hi The Blasted One,

Thanks for the checks.  I've got a pretty decent folder and file classes built that do quite a bit of verification that nothing tricky is being done with file parameters (as these are used for web based file manager too). Good call on the . file access through the input var through, I'll check that, as I'm not sure on it.

Thanks for the help and you too m1tk4
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now