Settings for a specific file extension


#1

Hi,

I want to make it so that a user cannot view files of a certain extension by entering it’s address into the browser. Is there a server configuration or something to limit the access (I don’t think just chmoding it will work because I still want to include the file in another file and then the user can view it, but I really don’t know much at all about file permissions).

Thanks.


#2

It’s called Disable Hotlinking. Commonly used to stop people from leeching your images:
http://wiki.dreamhost.com/Preventing_hotlinking

-Scott


#3

Thanks for the effort, but that doesn’t work. If I type the address into the browser it still shows the file–which is what I want not to happen. Hotlinking isn’t really something that concerns me. It’s people accessing the file directly on my own domain.


#4

Hopefully someone who’s good at writing .htaccess rules can come up with something to ONLY show the image if the HTTP_REFERER is your local domain.

Based upon the wiki, this is what I’d try:

RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC] RewriteRule \.(jpe?g|gif|png)$ - [F]
From my understanding, this means that if the REFERER is not your domain, it’ll fail. A blank REFERER will also make it fail since blank is not your domain.

-Scott


#5

Just put the files outside of your site directory.

Instead of /home/user/domain.com, put it somewhere else in /home/user/.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#6

What you posted is basically what I had. I think that perhaps it generates the refferer from the browser, not from some kind of session variable or anything like that. So it would still be my site when I type the address into the browser. But even if it did get the referer from the session then all it would take is for the user to put the address into their browser from a page on my site.

I have a decent sized number of these files and they gather user data (and even though I am careful to add slashes and strip tags, I am sure somebody can find a way around the precautions I have taken), so that may pose a security issue to place them in a higher directory.


#7

How would that be a security risk?

Since a PHP script in your domain directory can access anything in your user directory, the only real difference is that they won’t be able to directly access the files from the web.

Otherwise, it’s not like people can view the source of your PHP script and see where you’re including files from, so you could just keep them anywhere in your domain directory… avoiding something obvious like example.com/includes/, without an index file.

But… that is just hiding them, not preventing access, like putting them outside of the domain directory.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#8

If I do that then I would have to set the permissions for my home directory at whatever permissions I have for these files. As I mentioned though, I am not well informed on chmoding, but to me that sounds like it could be problematic. Also, in the event that someone were to hack into my account, wouldn’t it be bad to have active php files in the home directory?

Here is the reason for my problem:
I have some forms on my site that are open for users to submit content to. The form results were being written into a php file as values for variables (like this… fwrite("\$myVariable = \"$_POST[form_field]\";"); ). The reason for not just using SQL is because there is some code that gets written into the file and which codes are written varies depending on the form values, so it just seemed like it would be a lot easier to do it all from the php file. There is also a function that takes the entire file as a parameter. Then I was concerned that these php files might be easy targets for any hackers. So I changed the extension to something random. But that ended up much worse because with the php files if you put the address into the browser it was only a blank page that came up, with the unrecognized extension it pops up with the option to either open or download the file to your computer. Resulting in the entire contents of that php file being visible to anyone who knows the address.

So that makes it seem like no matter where I put these files with the new extension it ends more risky than the origional .php files unless I can configure it to act just like a php file. Would it be ok to have the php files in there like I origionally had?