1

I have a question in my mind that how mod_rewrite increases the security.

I have a my php file which shows a .pdf file online like www.exaple.com?id=234 and it makes a query to database and get the actual folder location.

the actual folder location is uploads/ and i am using something like how to hide the actual folder location

Now i want to use google docs 

 echo "<iframe src=\"http://docs.google.com/gview?url=".root."uploads/myfile.pdf"."&embedded=true\" style=\"width:100%; height:100%;\" frameborder=\"0\"></iframe>

but i don't want to show the upload directory uploads/ in this url.So i use module_rewrite to change the directory name to myfiles/ .

The question is that when user changes the directory to www.example.com/myfiles/hacking.php than it will also rewrite to uploads/hacking.php.

I am allowing user to upload files.although i am using blacklist but we assume that security holes may present

Community
  • 1
  • 1
StaticVariable
  • 5,253
  • 4
  • 23
  • 45

2 Answers2

1

Don't put the file in a web accessible location. Keep it someplace out of the www root, and have a script to open, read and output the file to the browser.

That way, even if it is a php file, only the content will be sent down and will not be executed.

iWantSimpleLife
  • 1,944
  • 14
  • 22
  • i am using godaddy shared hosting ? can you tell me where is the root folder?i don't have such folder and i don't have access to outside my directory – StaticVariable Oct 03 '12 at 11:48
  • You are using apache web server right? Another way is to put in a .htaccess file in the upload folder to prevent the folder from running any scripts. – iWantSimpleLife Oct 04 '12 at 00:30
1

Rewriting a url to hide a path is useless.

In the end you have a URL that the user can use. A request will send him the resource. Whats the difference if he requests example.com/?fileid=123 instead of example.com/uploads/file123.ext?

Yes, putting stuff in parameters forces you to use a script to fetch and send the resource. Using something that looks like a path only allows you to use this script. But it can be used, and nothing of this improves security. Not using a script means not being able to check if the user requesting the resource is allowed to, but for public resources this is no issue.

What are you really trying to do? Your security problem is to check whether malicious content was uploaded? If you allow uploading executables, and additionally allow them to be executed, you are doomed. Rewriting any URL does not help in any way.

Check what is uploaded. Prevent this stuff from being executed on your server.

When it comes to using the URLs discussed here, the situation should be like this:

If without rewriting you would reference /uploads/example.pdf, using rewriting should transform this url into something else, and disable the original url! If you still can get the stuff via the uploads folder, your rewrite is wrong.

If it is right, you are not in any need to use the old uploads url, because it does not work anymore.

Sven
  • 69,403
  • 10
  • 107
  • 109
  • i am using blacklist to restrict user uploading malicious file?But the question is that in the iframe url i don't want to show the location uploaded files? – StaticVariable Oct 03 '12 at 11:46
  • 1
    Blacklist is bad. You deny only what you know is bad. Unknown bad will pass. Whitelist is better. Only known good will pass. Unknown good will be rejected, but that's ok, someone will complain and you can adjust the whitelist. – Sven Oct 03 '12 at 12:08
  • i am also using that. to allow only pdf files. – StaticVariable Oct 03 '12 at 12:10
  • In your IFrame, you only have to supply the URL that loads the file, if it is rewritten or not does not matter. – Sven Oct 03 '12 at 12:13
  • but ther user will get the upload location folder? – StaticVariable Oct 03 '12 at 12:17
  • Would like you to edit your question to reflect the current state of the discussion. I can then update my answer. Please shine some light on which URLs we are currently talking about. – Sven Oct 03 '12 at 12:19
  • i just want to hide the actual upload location of my site.But mod_rewrite is not useful in this case? – StaticVariable Oct 03 '12 at 12:22
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/17504/discussion-between-sven-and-jhonraymos) – Sven Oct 03 '12 at 12:24