WebApp Sec mailing list archives
Re: Securing file access
From: Subs <subs () steelesoftconsulting com>
Date: Wed, 29 Sep 2004 11:22:58 -0700
Or in PHP which works just fine on IIS (even with forward slashes :) function send_file($path, $name} { if(!$fp = fopen($path. $name, 'rb')) die('Unable to open '. $name); header('Content-Type: application/pdf'); header('Content-Length: '. filesize($name)); fpassthru($fp); exit; } send_file('/some/non/www/path', 'mysecret.pdf');
On 27 Sep 2004 at 11:57, John M. L. wrote: > I have a project that involves a members only area on web page on IIS. > The members' only area is secured by a database (MS Access) so users are > authenticated by their name and some MD5 hash etc. I need to allow files > (mostly PDFs) for download to authenticated users only. In my opinion this > means that the files can not be stored in any www accessible folder> (regardless of any renaming convention etc, I absolutely cannot have someone> guess a file name to download). In order to access the files, the database > would link a file to a unique id, so a page that validates the user would > then give access to the file stored outside of the www on the server. Now, > this is where the real question lies. How is this possible since the files > are not in a www accessible path, since a mere link to a file won't due. > Any thoughts would be welcome. If I'm going about this completely wrong > that would be nice to no too :) Forgive me if the answer is simple, I'm a > Linux fan and haven't used IIS etc for years. > One more note: IIS, MS Access and VBScript are not my technologies of > choice, but merely what I was given to work with. I also have very limited > control over administering IIS. > > John > www.recaffeinated.com > Hi John, You are going about this the right way.Store the PDFs outside the www root, but still give the user ISR_<computer name> permission to read the files ( or whatever user your site is running under). Once the web user has authenticated, your script can read the PDF into memory then streamthe file to the user. A simple example is below: <% set fs=server.createobject("Scripting.filesystem") set PDFin=fs.opentextfile(pathtoPDF,1,false) PDF=PDFin.readall PDFin.close set PDFin=nothing Response.contenttype="application/pdf" resonse.binarywrite StrToBin(PDF) response.end function StrToBin(str) for x=1 to Len(str) StrToBin=StrToBin & ChrB(Asc(Mid(str,x,1))) next end function %>You may not need to use the StrToBin function - I can't remember off the top of myhead ;) Regards Ian --
Current thread:
- Securing file access John M. L. (Sep 27)
- Re: Securing file access Saphyr (Sep 29)
- Re: Securing file access Jason Merriman (Sep 29)
- Re: Securing file access Ian (Sep 29)
- Re: Securing file access Subs (Sep 30)
- RE: Securing file access Koen Vingerhoets (Sep 29)
- Re: Securing file access PD9 Software (Sep 29)
- Re: Securing file access Ben Timby (Sep 29)
- Re: Securing file access robbin (Sep 30)
- Re: Securing file access James Barkley (Sep 30)
- <Possible follow-ups>
- Re: Securing file access robbin (Sep 28)
- Re: Securing file access Ido Rosen (Sep 29)
- RE: Securing file access BĂ©noni MARTIN (Sep 28)
- RE: Securing file access Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 29)
- RE: Securing file access Booth, Simon (Sep 29)
(Thread continues...)
- Re: Securing file access Saphyr (Sep 29)