3

I have a folder in the root of my webshare that holds semi confidential pdf documents. I want anyone accessing that folder or its files to get a permissions error. Thats easy to setup and I have it working with

<FilesMatch "\.pdf$">
 Order Allow,Deny
 Deny from all
</FilesMatch>

However I want a subfolder on the server that contains PHP scripts to be able to link to these PDF files. Note; I don't want php to be able to read the files internally within the server, but for http requests directly linking these restricted files to suddenly be possible.

I read that htaccess files in child folders can overrule rules higher up a folder path set in a root folder htaccess file. To that end I have setup an htaccess file in the specific subfolder with the php scripts (using allow from all) but it doesnt seem to work.

AdamJones
  • 652
  • 1
  • 15
  • 38

1 Answers1

2

If you have pdf's in /secret/ folder, and you have an htaccess file in that folder, the file is going to get evaulated anytime the pdf is accessed, regardless of who's accessing it or from where. The only difference as far as the webserver and what's in an htaccess file can tell between someone accessing that PDF from a google list of results vs a page that you have setup that happens to link to them is the referer.

From google, the referer will look like: https://www.google.com/search?q=secret+pdf (or something)

From the page you set, the referer will look like the URL of the page that you setup. That's it, no other difference. That means you can match against the referer to see if someone clicked on your PDF link from google or from your page. The problem is that anyone can make the referer anything they want. It can be completely forged to anything, so if this is an attempt to prevent unauthorized access, the HTTP referer is just about the worse way to do this.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/your_page.html
RewriteRule \.pdf$ - [L,F]

Those rules in the htaccess file in your pdf directory will prevent linking from anywhere else besides: http://www.yourdomain.com/your_page.html, unless the referer is forged.

Jon Lin
  • 142,182
  • 29
  • 220
  • 220
  • Keep in mind that spoofing the HTTP Referer is possible, [see this question](http://stackoverflow.com/questions/3104647/how-to-spoof-http-referer) – Stan Sep 26 '13 at 10:02
  • Hi Jon Lin. Thanks for your response. To confirm; using the referer code is definitely the only way I can detect access to the file? – AdamJones Sep 26 '13 at 12:29
  • @AdamJones only way to tell where someone clicked the link from, accessing the file is accessing the file, the referer tells you where the accessed it from – Jon Lin Sep 26 '13 at 14:35