Here is my code solution. I'm not sure how secure this will be (Obviously $_GET['grantaccess']=="true" is going to be changed), any comments would be appreciated:
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
$method="http";
$domain="example.com";
$defaultMIME="text/plain";
$fileType = $defaultMIME;
if ($_GET['grantaccess']=="true") {
$navFile=str_replace("..", "", $_GET['torun']);
$fileURL=$method . '://' . $domain . '/' . $navFile;
if (file_exists($navFile)) {
$finfoHandler = finfo_open(FILEINFO_MIME_TYPE);
$fileType = finfo_file($finfoHandler, $navFile);
finfo_close($finfoHandler);
if ($fileType===FALSE) {
$fileType = $defaultMIME;
}
header('Content-Type: '.$fileType);
$fileHandle = fopen($navFile, "r");
//$fileContents = stream_get_contents($fileHandle); //Can't use a URL with fopen, it will reexecute .htaccess.
$fileContents = fread($fileHandle, filesize($navFile));
fclose($fileHandle);
echo $fileContents;
} else {
header("HTTP/1.0 404 Not Found", true, 404);
echo "Not Found";
}
} else {
header("HTTP/1.0 403 Forbidden", true, 403);
echo "Access denied";
}
I only wanted to give access to sub-directories from here, not anything above / when navigating from browser. I believe Apache is Chrooted anyway when you specify the virtual host's document root in the config, but I replaced all ".." with nothing just to be sure.