开发者

File Upload: User Security When Downloading

I am trying to create a secure file t开发者_开发技巧ransfers between a client and a user by which I have the client Upload files, and click on which ones they wish to share with the user.

My problem comes when the client passes a url to a user (This url is stored in the database) ie: http://www.example.com/files/my-new-file.pdf

So then the user clicks on the URL and now becomes unsecure, because anyone technically could download this file. How do I make it so this file is ONLY able to be downloaded by the specified users.

I hope this makes some sense in what i'm trying to do and am trying to make sure these files are secure. Any thoughts would be appreciated.


You should use a PHP page to control access to the resources, rather than having the /files/ directory serve the content directly via the web server.

For example, a simple PHP page can read a file from the filesystem and serve this up so that it is downloaded to the browser.

http://www.higherpass.com/php/Tutorials/File-Download-Security/

You would want to ensure:

  • Only valid files can be downloaded

  • The request is from a valid authenticated user who is allowed to access the requested file

The simple example in that URL is vulnerable to directory traversal in the file parameter. You should validate any filename that is passed to your PHP script to protect against "../.." type attacks. This can actually get quite complex.

What may work for you is to have a token system where files are referenced by a unique, complex, random token. The database stores the actual file location on the filesystem, and when a request is recevied such as /download.php?token=blah... you lookup a) the location of the file referenced by token "blah", and b) that the session of the calling user is permitted to access the file. If all is well, serve the file to the user, otherwise raise an error and log the illegitimate access.


Protect image path - PHP

Hope this help you.


I believe adding security preferences to the registered users will make the things work. You need to have user logged in to upload the file.

Otherwise, whenever somebody uploads a file, ask his/her email address and send a string key (randomly generated by your server and mapped to the uploaded file) which may be used by the user who wants to download as password.

Share that key with the users who uploader wants to share...

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜