PHP protected file access

Question

I am using Martin Barker's code/answer from ( PHP to protect PDF and DOC ) almost verbatum, only difference is the file I am protecting is in my user folder above the public_html folder

Folder structure

/users/websupport
/public_html

File to download is at:

/users/websupport/FileToDownload.pdf

The download.php file is at

/public_html/download.php

but Firefox tells me it cannot find the file at Firefox can't find the file at download.php.

I have verified that the file is there via ftp.

If placing the file outside the webroot do I need to add something to the sites .htaccess ? Just not sure where I am going wrong with this. Below is the code within download.php

//check users is loged in and valid for download if not redirect them out
// YOU NEED TO ADD CODE HERE FOR THAT CHECK
// array of support file types for download script and there mimetype
$mimeTypes = array(
    'doc' => 'application/msword',
    'pdf' => 'application/pdf',
);
// set the file here (best of using a $_GET[])
$file = "../users/websupport/2011cv.pdf";

// gets the extension of the file to be loaded for searching array above
$ext = explode('.', $file);
$ext = end($ext);

// gets the file name to send to the browser to force download of file
$fileName = explode("/", $file);
$fileName = end($fileName);

// opens the file for reading and sends headers to browser
$fp = fopen($file,"r") ;
header("Content-Type: ".$mimeTypes[$ext]);
header('Content-Disposition: attachment; filename="'.$fileName.'"');

// reads file and send the raw code to browser
while (! feof($fp)) {
    $buff = fread($fp,4096);
    echo $buff;
}
// closes file after whe have finished reading it
fclose($fp);

I firefox cannot find download.php, are you rewriting your urls? — jeroen, Jun 25 '12 at 15:42
Blaster. In my code above is the file which I call on the website. That code then tries to access the file which is outside the webroot. — John Cogan, Jun 27 '12 at 07:19
Also, you can just use fpassthru() instead of opening the file, reading it in a loop and closing it again. — GordonM, Jul 05 '17 at 16:19

score 0 · Answer 1 · answered Jun 25 '12 at 15:52

0

Make sure the user your php script runs as has read access to that directory.

On php embedded in apache on most debian derivatives, the user will be 'www-data'.

answered Jun 25 '12 at 15:52

AndrewPK

6,100
3
32
36

Its a shared hosting environment with CP access (Hetzner in South Africa) so not too sure if I am able to change the user although CHMOD is possible obviously. – John Cogan Jun 27 '12 at 07:17
you should ask your shared host if is possible for you to have a jailed shell or similar shell access. Also, in shared hosting environments, you are often running things as your own user due to suexec and 'suPHP' or the like, so you'd just need to chmod if that was the case. – AndrewPK Jun 28 '12 at 02:04

score 0 · Answer 2 · answered Jul 05 '17 at 15:49

I had the same issue recently where readfile() and fpassthru() just would not work on my server.

What I ended up doing was creating symlinks for the files as needed and passing those to the user. You can learn how to create symlinks here.

I used

exec("ln -s source_file_full_path full_path_to_fake_file");

if you wanted your user to have a link like 'http://somesite.com/folder/fake_file.pdf' then the full path would be to where 'folder' lives on your server and you would include 'fake_file.pdf' in your fake file path.

then to expire the links I made another call to find all of the symlinks with a creation date older than x minutes. You can see how to do that in this answer. (That could be a cron job to ensure they expire on time.)

PHP protected file access

2 Answers2