Illusion of security and restricted content. Downloads.: The Chill Out Zone

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

All these years I thought that when you defined a download category to a certain user group, no one would be be able to access the download without two pre requisites:
1. You are logged in.
2. You are a member of that user group.

I was just reviewing an upload (a single pdf file) that should not be shared publicly. Hence it is restricted to a download category that is limited to registered members in a predefined group. But anyone with the direct link can download it. The restriction you think you do acts like this:
It does not show the ENTRY in the download list unless you are logged on and in the group, but anyone with a direct link can download it.

Maybe I am utterly stupid and should have known this before, maybe some of you are laughing at me right now, but I actually TRUSTED PHPFusion to handle this and never had any reason to doubt it. Now, when doing a doublecheck because it is sensitive stuff , I realize this is all a big illusion.

Again, there is no protection of the file, only of the entry in the download list.

Can anyone help me accomplish true security with a quickfix, because this is a showstopper. I can not use PHPFusion on a site I have worked on and off on for a couple of years, and promoted to that community and telling the "everything is secure, this is a SECURE system". 7.02.07

Edited by Homdax on 28-03-2015 11:07, 9 y

0 replies

No, you cannot avoid direct download prohibition when someone knows your file name.

The majority of the community commented against hashing files earlier - file_exists() thread (have a search and look).

Richard, do not reveal the original filename you want to protect to anyone, including yourself.

When upload to your site, immediately rename it to q20981209180r9uwjdoajifasoidj_auisoda9s8duas9d8aus.pdf.
This is your "Source" file.

The process..

When people click at your download link, we copy the source is into a temporary folder with another unique hashed name, send link and start session and immediately delete that file. This file no longer available forever. Hence, making it valid only for 1 session.

If download breaks midway, repeat the whole process again.

Do you have Craig helping you?

Code Download source


if (isset($_POST['download_file'])) { // <--- the id.
// do the process
    $result = dbquery("SELECT * FORM ".DB_DOWNLOADS." WHERE ".group_access('download_access')." download_id='".intval($_POST['download_file'])."'");
   $data = dbarray($result); // this is the file record.

   $data['download_source'] = // this is your download source
  
}

0 replies

That is, with some additional features, the obvious workaround, but when you deal with files that are part of an inherent structural documentation, agendas, protocols and such, people will only ask me why I gave the file such a strange name, should they download it and wanting to store it. Makes it pretty hard to tell people to look at "section b in document c" if file name obfuscation prevents them from identifying the file, offline. And, still not file security.

I was actually thinking more along a htaccess file in the relevant directory.
Either the htaccess forwards instructions to php, or php picks up protection from htaccess, be that perhaps a user : pwd combo or something else.

Maybe: http://stackoverflow.com/questions/5231041/retrieve-htaccess-login-name-from-php

Or perhaps a redirect to file...

Code Download source

RedirectMatch 301 /blog(.*) /$1

If that could work sending all file requests to /downloads.php?

Edited by Homdax on 28-03-2015 13:48, 9 y

0 replies

I haven't experimented with such a method before. If I was on your sleeves now, i'd go use my above method hash against a zipped up file, which password protected via zip as well. That, is the general method. If you're talking about folder access, yes, without using file access..

if your folder have blank index.php, people can't browse your folder. I'll look into the .htaccess later. but you can start working on it already if it's urgent. just zip your docs into a zip file , password protect it, hash its name. don't distribute. When I have the .htaccess model, i'll share. I'll try to test tomorrow.

0 replies

Bah, i just looked at http://stackoverflow.com/questions/19513749/how-to-retrieve-a-specific-get-data-in-htaccess-and-pass-it-on-rewrite-rule

Then this method is ok. What we do is to bounce every traffic back to index.php , and in index.php do an authentication and retrieve file.
That will work, because $userdata['user_id'] is present if you include maincore.php in that index.php file.

0 replies

No it is nor urgent, I will do a tedious workaround, rewriting the doc into a CP.

I am glad I could inspire you to find a solution that could be core compatible and perhaps suitable for all downloads...
htaccess is good for many things, but is often overlooked, since you add an additional software layer and coding to the site, while thinking php or whatever code base, should be enough. Which it is not in this case.

Another step towards a safer PHPFusion. B)

0 replies

Ok, so for this I will try to make it for v9.00. We're almost there to Public release.

0 replies

Ok, I shuffled somethings inside Downloads system in order to make this to work.

1. Downloads/ -- add a subfolder /files.
2. Inside files. You add .htacess with this:

Code Download source


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^.+$ ../index.php [L]
</IfModule>

2. Add a new index.php blank file into /files.

3. In Downloads/ Folder, add this file.

Code Download source


<?php
/*-------------------------------------------------------+
| PHPFusion Content Management System
| Copyright (C) PHPFusion Inc
| https://www.php-fusion.co.uk/
+--------------------------------------------------------*
| Filename: downloads/index.php
| Author: Frederick MC Chan (Hien)
+--------------------------------------------------------+
| This program is released as free software under the
| Affero GPL license. You can redistribute it and/or
| modify it under the terms of this license which you
| can read by viewing the included agpl.txt or online
| at www.gnu.org/licenses/agpl.html. Removal of this
| copyright header is strictly prohibited without
| written permission from the original author(s).
+--------------------------------------------------------*/
require_once "../maincore.php";
$request = pathinfo($_SERVER['REQUEST_URI']);
$result = dbquery("SELECT download_file FROM ".DB_DOWNLOADS." WHERE ".groupaccess('download_visibility')." AND download_file='".stripinput(trim(preg_replace("/ +/i", " ", censorwords($request['basename'])))."' ");

if (dbrows($result)>0) {
   $data = dbarray($result);
   require_once INCLUDES."class.httpdownload.php";
   $object = new httpdownload;
   $object->set_byfile(DOWNLOADS."/files/".$data['download_file']);
   $object->use_resume = true;
   $object->download();
}

4. In your download Administration, change upload path to -- /files/
5. In your front end , change download path to include /files/

All should work if you do the minor changes into v.7

Git for V9 - all first commits on Mar 29, 2015 by me.

0 replies

Illusion solved.

0 replies

New Download System is out for 9 due to this. I tweaked, and then got frustrated, and then I delete everything and rewritten the whole program. I believe mods after the download system could be better after this change. Thank you for the tell.

0 replies

Category Forum

Announcements & Security Issues

Labels

None yet

Statistics

Views 0 views
Posts 9 posts
Votes 0 votes
Topic users 2 members

2 participants

Notifications

Track thread

You are not receiving notifications from this thread.

Illusion of security and restricted content. Downloads.

9 posts

PHPFusion

Resources

Community

Development