WebApp Sec mailing list archives
Re: Securing file access
From: "James Barkley" <James.Barkley () noaa gov>
Date: Thu, 30 Sep 2004 05:07:05 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <?php if (!function_exists ("mime_content_type")) { ~ function mime_content_type ($file) { return exec ("file -bikn \"" . escapeshellcmd($file) . "\""); } } if (!user_is_logged_in() || !user_has_access_to_doc($doc_id)) { print "error"; exit; } if ($doc_id) { ~ $query = "select name from docs where doc_id=$doc_id"; ~ $result = db_query($query); ~ if (db_numrows($result) < 1) { print "error"; exit; } ~ else { $row = db_fetch_array($result); } ~ $mimt = mime_content_type($FILES_DIR.$row['name']); ~ if (!$mimt) { $mimt = "application/octet-stream"; } ~ header("Content-Type: $mimt"); ~ header('Content-disposition: inline'); ~ $fexist = readfile($FILES_DIR.$row['name']); } else { exit_error("No document data.","No document to display - invalid or inactive document number."); } ?> robbin wrote: | Script the retrieval and just put the file out there, basically you | have to open the file and put it to the web page with the | appropriate header so that the user will be prompted for a download, | save as pop box. I've done this in perl, | | print header(-type=>"application/x-download", | -attachment=>"$fullyqualifiedfilename", | ); | open (DWNLD,"<$file"); | binmode(DWNLD); | $/ = undef; | my $zip = <DWNLD>; | close (DWNLD); | | binmode(STDOUT); | print $zip; | | Hope example helps. | | Robbin | | | John M. L. wrote: | |> I have a project that involves a members only area on web page on IIS. |> The members' only area is secured by a database (MS Access) so |> users are |> authenticated by their name and some MD5 hash etc. I need to allow |> files |> (mostly PDFs) for download to authenticated users only. In my |> opinion this |> means that the files can not be stored in any www accessible folder |> (regardless of any renaming convention etc, I absolutely cannot |> have someone |> guess a file name to download). In order to access the files, the |> database |> would link a file to a unique id, so a page that validates the user |> would |> then give access to the file stored outside of the www on the |> server. Now, |> this is where the real question lies. How is this possible since |> the files |> are not in a www accessible path, since a mere link to a file won't |> due. |> Any thoughts would be welcome. If I'm going about this completely |> wrong |> that would be nice to no too :) Forgive me if the answer is |> simple, I'm a |> Linux fan and haven't used IIS etc for years. |> One more note: IIS, MS Access and VBScript are not my technologies of |> choice, but merely what I was given to work with. I also have very |> limited |> control over administering IIS. |> |> John |> www.recaffeinated.com |> |> |>|> |>
| | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBW8y3BtvwQGcl/zERAn6OAJ4qBlIC96PtUFXvAIKHv6WAR9LIAACdGeJZ x8kYrEV1CsS2dIFvvotLrYs= =7FBt -----END PGP SIGNATURE-----
Current thread:
- Securing file access John M. L. (Sep 27)
- Re: Securing file access Saphyr (Sep 29)
- Re: Securing file access Jason Merriman (Sep 29)
- Re: Securing file access Ian (Sep 29)
- Re: Securing file access Subs (Sep 30)
- RE: Securing file access Koen Vingerhoets (Sep 29)
- Re: Securing file access PD9 Software (Sep 29)
- Re: Securing file access Ben Timby (Sep 29)
- Re: Securing file access robbin (Sep 30)
- Re: Securing file access James Barkley (Sep 30)
- <Possible follow-ups>
- Re: Securing file access robbin (Sep 28)
- Re: Securing file access Ido Rosen (Sep 29)
- RE: Securing file access BĂ©noni MARTIN (Sep 28)
- RE: Securing file access Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 29)
- RE: Securing file access Booth, Simon (Sep 29)
- RE: Securing file access Shields, Larry (Sep 29)
- RE: Securing file access Beckner, Chad A (Sep 30)
- Re: Securing file access Saphyr (Sep 29)