Solved

Is it possible to obfuscate the folder where a file to be downloaded is localized?

Posted on 2014-01-11
15
499 Views
Last Modified: 2014-01-14
Hi Experts!

Is it possible to obfuscate the folder where a file to be downloaded is localized by using a PHP or even HTML resource?

By example, say a file called xyz_app.zip is located at the folder bellow:

www.mysite.com.br/Downloads/xyz_app.zip

My PHP application doesn't allow to go to a page that addresses directly to it until defined rules in the site are fulfilled, but If someone know where the files remains could go directly to that address without fullfill the needed rules -  and I aim to avoid it.

Thanks in advance!
0
Comment
Question by:Eduardo Fuerte
  • 5
  • 5
  • 4
  • +1
15 Comments
 
LVL 30

Accepted Solution

by:
Marco Gasi earned 300 total points
Comment Utility
Replace the html lin with a form this way:

<form action="download.php" method="post">
<input type="submit" name="download" value="Download" />
</form>

Open in new window


Then create the dwonload.php file:

$post = filter_input( INPUT_POST, "download");
if ($post) {
        $filename = "Downloads/xyz_app.zip";
	header( "Content-Type: application/octet-stream" );
	header( "Content-Length: " . filesize( $filename ) );
	header( "Content-Disposition: attachment; filename=" . basename( $filename ) );
	readfile( $filename );
}

Open in new window


This will start download without leaving the page.

Cheers
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
No need.  What you should do is store your files outside of the www.  On a windows server, you can use file system object to grab the file once uploaded and move it to your secret folder.  
http://www.php.net/manual/en/ref.filesystem.php
For the link, you can generate a random link when the page loads that will grab the file and bring it temporarily to the www.    With this method, even if the user finds where you downloaded from, they will not be able to the 2nd time.
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
You can store the files outside of the WWW directory tree and use something like this to force a download.  If you add PHP client authetication, as shown in this article, you can exert some control over who would be allowed to access these files.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

Depending on the file type, you may want to serve the files directly (such as images) and there are different HTTP headers that would let you do that, too.

<?php // RAY_force_download_GET.php
error_reporting(E_ALL);


// EXAMPLE OF USAGE
// <a target="_blank"
//    href="RAY_force_download_GET.php?u=http://www.google.com/intl/en_ALL/images/logo.gif">Google Logo</a>


// REQUIRED FOR USE WITH THE PHP date() FUNCTIONS
date_default_timezone_set('America/New_York');

// THE NAME OF THE FILE TO DOWNLOAD IS IN THE URL
$url = !empty($_GET["u"]) ? $_GET["u"] : NULL;

// USE CASE
if ($url) force_download($url);



// FUNCTION TO FORCE A DOWNLOAD FROM A FILE
function force_download($filename)
{
    // TRY TO GET THE CONTENTS OF THE FILE
    $filedata = @file_get_contents($filename);

    // SUCCESS
    if ($filedata)
    {
        // GET A NAME FOR THE FILE
        $basename = basename($filename);

        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=$basename");
        header("Content-length: " . (string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }

    // FAILURE
    else
    {
        trigger_error("ERROR: UNABLE TO OPEN $filename", E_USER_ERROR);
    }
}

Open in new window

0
 

Author Comment

by:Eduardo Fuerte
Comment Utility
marqusG code is simple and runs perfectly well

 Is it (easily) possible for someone to discover download.php code (marqusG solution) ?

I've changed the files outside www too (according to the other solutions)... so the security is much higher (since the provider Windows Server have to much better security mechanisms) , ok?
0
 
LVL 30

Expert Comment

by:Marco Gasi
Comment Utility
To discover download.php code there should be a hard security whole in the server, since php code is executed in the server and not inthe client side. Moving file outside the www dorectory add a firther security level, so you can sleep happy... but keep in mind the security is a work in progress and what is secure today could be unsecure tomorrow. We can't never be sure all is ok, but this provided solutions give you a reasonable security level, I think :)

Cheers
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Is it (easily) possible for someone to discover download.php code
Yes.  The name of the script is in clear text inside the web page, and once someone has seen the name, it's public information.  If you want to exert any control over who can download the files, you need to consider client authentication.  There may be some other tests you want, as well.  Perhaps you want to check the HTTP_REFERER before doing the download.
0
 
LVL 30

Expert Comment

by:Marco Gasi
Comment Utility
@Ray: are you meaning that someone can easily discover the name of the page 'download.php' or that someone can easily read the download.php content, taht is the download.php code?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Eduardo Fuerte
Comment Utility
Considering the file 'download.php' has in its script a relative path to where the files to be downloaded (outside www)  phisically remains even if this script could be read the security continues high, ok?
0
 
LVL 30

Expert Comment

by:Marco Gasi
Comment Utility
I think Ray ment to say that anyone can read that the file which starts the download is called 'download.php', since one can simply view the source code of the page and see the value of the action attribute of the form. But the download.php content is not accessible to anyone.
Anyway, if files resides outside the root directory, the security level will be high (being said what I wrote above).
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
... someone can easily discover the name of the page 'download.php'
Exactly, and unless that script is protected in some way, anyone who discovers it can run it, getting the results it produces.  Protecting the PHP script code is probably less important than protecting the data that would be downloaded.
0
 

Author Comment

by:Eduardo Fuerte
Comment Utility
After read what you've posted I radically changed the way downloads could be done.

It couldn't be downloaded directly anymore. If someone would like to download must first send an email to the site with the motivation and then - after analysis -  receive another email with a link to where the data to be downloaded remains - and the data's localization  changes from time to time.

This reduces agility but avoid malicious download (mainly since last month a lot of downloads was done from a very well known country - they intends to decompile and copy my system)

I guess with this strategy only with net provider's server invasion they could get the files, isn't it?
0
 
LVL 30

Expert Comment

by:Marco Gasi
Comment Utility
Mmmhh... this could not only reduce the agility but even the number of persons who decide to download your software.

But I don't understand so well: if it's a commercial software it should be downloadable only after payement and you should have all client data, such as first name, last name, address, credit card number or Paypal transaction id and all data should be available through Paypal.
If it is a free software, there is no reason to crack it or decompile it and I don't see any reason to protect it.

Anyway, I think it would be a better choice to use my code and allow download only to registered users so you can monitor their downloads using simple php script...
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 200 total points
Comment Utility
I think you may want to read up on PHP client authentication.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

The general strategy would be something like this:

1. Client pays for the download and upon receipt of payment...
2. Your site creates a user registration and sets the client status to "logged in"
3. Your site redirects the client to the download page
4. The download page uses the access_control() function to verify client status
5. If the download page gets past the access_control() function, you know the client is OK
0
 

Author Comment

by:Eduardo Fuerte
Comment Utility
It's free software to pre defined kind of people Philantropic Institutions after proved they are - not for the others. First the download is TRIAL - free for someone would like to know the apps.

Even it's free someone are decompiling it to make a commercial software!
(unfortunatelly it was constructed with a language that in some way permits it - I've already consulted very qualified EE experts in that subject )

The email to request a download is very simple with very few informations to a minimal loss of agility - but preserving some security since could be analysed and if needed questioned before send the reply email.

Actually your code will be used in the email replies.

My site already permits user register for another actions - f.e. to obtain a perpetual license of the apps - after analisys.

@Ray: I've done an emergencial solution only to cease the very numerous downloads (bad intentioned) but I'm going to carefully read your article to a better solution!
0
 

Author Closing Comment

by:Eduardo Fuerte
Comment Utility
Thank you for all the guidance. The emergencial soluction worked out and downloads ceased, but I'm improving the solution.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This article describes how to create custom column layout styles for Bootstrap. The article uses 5 columns to illustrate the concept, but the principle can be extended to any number of columns.
This article discusses how to create an extensible mechanism for linked drop downs.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now