0

Today I got an issue, which says I should hide some files from the public. Actually these are some "user specific" files so others than the owner should not be able to see them.

I didn't want to read the files with fread or something like that if there are other options so I did some research about the problem and found X-Sendfile mod for apache on an other thread here on SO.

It works almost as I need it. Except one thing. The files are hidden with htaccess, they aren't visible for the "world" and I can serve them with X-Sendfile header after authentication.

BUT what if someone create a php script what does the same thing as mine? Users may remember the urls for the files. The files will be available for them. That's bad...

Do you have any idea what can I do to prevent others than the owners to access their files without permissions? I need a solution for nginx at first.

The files are on a server without PHP, it's only a static file server.

Moving files to an other directory won't work, it would make much more pain.

Thank you

UPDATE It seems like I missed that the downloaded file was 0Kb or something like that, because I wasn't able to do the trick again.

Damien
  • 674
  • 5
  • 12

1 Answers1

3

BUT what if someone create a php script what does the same thing as mine?

Why are you letting users upload arbitrary code?

Users may remember the urls for the files.

Users will never see the URLs except for the script that uses X-Sendfile.

Do you have any idea what can I do to prevent others than the owners to access their files without permissions?

Verify their auth in the script that uses X-Sendfile.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
  • They won't be able to upload code. But they may have their own hosts (not on our servers) to run their scripts. – Damien Apr 17 '12 at 15:18
  • And about the url. These file are available since years I guess, so they may already know the urls. – Damien Apr 17 '12 at 15:20
  • Maybe I missed something, but my test case was: I uploaded my script to server A, the hidden file was on server B. When I opened the script on server A and I was able the download the hidden file. So I guess if someone do the same, he could download the file too. – Damien Apr 17 '12 at 15:24
  • "the hidden file was on server B" Well there's your problem. Put them on the same server, or make it available via the filesystem. – Ignacio Vazquez-Abrams Apr 17 '12 at 15:26
  • Ahm, now I see. But it's not much better than using fread. The files have to be pulled through the network. Actually these files are smaller than 1Mb so it shouldn't be a big deal. It can be solution, thank you. BUT... What if they figure out the file path? :) – Damien Apr 17 '12 at 15:42
  • It's *much* better than using `fread()`, since it's done at the C level by the web server instead of being done at the PHP level by your script. And the file path won't help unless they can tell the web server to give them the files (PROTIP: Put them outside `DocumentRoot`). – Ignacio Vazquez-Abrams Apr 17 '12 at 16:09