8

For security I'm moving a collection of files and folders to outside the web root on an apache server, and then I will serve them dynamically. This seems better than 2 alternatives:

  1. Leave them web accessible and just create a php login page that gets prepended to every file. The problem is they're not all php files, and I can't prepend a php login file to a pdf, image, etc.
  2. Leave them web accessible and use HTTP authentication to restrict access to the whole directory. But that introduces problems including cleartext passwords, no graceful logout method, etc.

So we're back to having them outside the web root but serving them dynamically. The problem I'm having is, since they're all different file types (php scripts, txt, pdf, jpg) I'm not sure whether I should use include() or readfile(). And I run into problems with sending the proper headers for every file so that the browser displays them correctly.

Am I missing another magic solution? Is there a framework that has eluded me that handles the serving of dynamic files and headers?

(FYI I'm running Linux, Apache & PHP on a shared host)

Andrew
  • 8,363
  • 8
  • 43
  • 71
  • 1
    Wow, you are taking an easy problem and turning it into a hard one. – Dietrich Epp Oct 09 '11 at 06:16
  • 2
    @Dietrich what would be a easy solution then? – Pekka Oct 09 '11 at 07:06
  • @Pekka: HTTP Digest authentication, tell users to close their browsers to log out. – Dietrich Epp Oct 09 '11 at 09:30
  • 1
    @Dietrich it's most often not an option if you have advanced user management and authentication in place. I agree that's a sad state of affairs and passing files through a PHP script is a horrible waste of resources, but there's no non-complicated solution really – Pekka Oct 09 '11 at 09:47
  • 1
    @Pekka: The question insinuates that it is an option. And passing files through a PHP script is not the real waste of resources -- the real waste of resources is writing and debugging a script that never needed to be written in the first place. – Dietrich Epp Oct 09 '11 at 10:21
  • @Dietrich, I can't rely on my users to maintain the security of the system by making sure all instances of the browser are closed. Plus I need to be able to timeout people's authenticated sessions. – Andrew Oct 09 '11 at 18:54

2 Answers2

9

I think something like this would work:

<?php
$path = realpath(dirname(__FILE__) . '/../my_files/' . $_GET['file']);

$parts = explode('/', pathinfo($path, PATHINFO_DIRNAME));
if (end($parts) !== 'my_files') {
    // LFI attempt
    exit();
}

if (!is_file($path)) {
    // file does not exist
    exit();
}

header('Content-Type: ' . mime_content_type($path));
header('Content-Length: ' . filesize($path));

readfile($path);
Alessandro Desantis
  • 14,098
  • 1
  • 26
  • 32
1

The simplest way I can think of is by using .htaccess files. Assuming your web server is Apache, of course.

You could deny access to any kind(s) of files and/or directories for everyone and allow only for localhost. This way, they will not be served to the public, even if they know the correct path/url, but the server and PHP will be able to serve them.

For different web servers, there must be equivalent solutions. Plus, you can always switch to Apache :-)

Kostas Maragos
  • 569
  • 4
  • 18
  • Well, hiding the files from the public was not the problem. Moving them outside the web root or restricting access using .htaccess are equivalent to me. My problem is a good method for selectively serving those files when needed, to authorized users. – Andrew Oct 09 '11 at 07:27
  • ... and probably without using simple http authentication. Otherwise, .htaccess would still be an option. – GolezTrol Oct 09 '11 at 07:35
  • The two issues are independent... But since you took a paragraph to explain your choice of moving them off the web root, I thought I would point out that this is not a necessary step. Namely, when you say "...for security, I'm moving...", it's not an accurate reason or measure. – Kostas Maragos Oct 09 '11 at 14:42
  • Right. I see. I appreciate the input. – Andrew Oct 09 '11 at 18:56