Jump to content

[SOLVED] .htaccess and passthru

doingmyheadin

By doingmyheadin
in PHP Coding Help

 Share

Recommended Posts

doingmyheadin Newbie

doingmyheadin

Posted
Posted

I have pdfs in a deny-from-all htaccess protected directory "materials".

 

All requests for pdfs in that directory are passed (with htaccess in the root folder) to a php script which checks user credentials and then is supposed to passthru the pdf.

 

If I don't htaccess-restrict the "materials" folder, it works fine. Otherwise I just keep getting a permission-denied error.

 

Two questions:

- Is there a way to circumvent the htaccess in the materials folder through php (based on permissions obviously)?

 

- Do I even need to protect the "materials" folder at all, seeing as all requests to it are passed to my script anyway?

 

.. or is there some other way of doing this I'm not thinking of?!

 

Thanks for your help!

Link to comment
Share on other sites
doingmyheadin Newbie

doingmyheadin

Posted
  • Author
Posted

The "deny from all" prevents HTTP/HTTPS requests for the files. If your .php script cannot read the files, that would imply that you are using a URL to read the files instead of a file system path.

 

Thought that's what I was doing... maybe I'm not? Here's what I've got:

 

$REQ_URL = $_REQUEST['REQ_URL'];

$ROOT = $_SERVER['DOCUMENT_ROOT'] . "mysite/";

$file = $ROOT . $REQ_URL;

passthru($file,$err);

 

It's going to be something really dumb isn't it - sorry!

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

So, what exactly is $_REQUEST['REQ_URL']? It it an actual URL to the file (http://yourdomain.com/your_path/your_file.ext) or just a file name (your_file.ext)?

 

I don't know what passthru() would do for how you are calling it (it normally executes a command that has meaning relative to the operating system.) You would normally use readfile() to do what you are trying.

 

You should also not directly put anything that comes from user supplied input into a statement that reads and outputs the content of a file, unless you fully validate what was supplied. By suppling the correct path (using enough ../../..) to say your database connection details file, someone could easily get the code you posted to output any of the files on your server, not just the files in your "materials" folder.

Link to comment
Share on other sites
doingmyheadin Newbie

doingmyheadin

Posted
  • Author
Posted

So, what exactly is $_REQUEST['REQ_URL']? It it an actual URL to the file (http://yourdomain.com/your_path/your_file.ext) or just a file name (your_file.ext)?

 

It's a relative path to the file, in this case, "materials/file.pdf". I've echo'd this, the file looks to be referenced correctly.

 

I don't know what passthru() would do for how you are calling it (it normally executes a command that has meaning relative to the operating system.) You would normally use readfile() to do what you are trying.

 

Ah, OK. Still doesn't work with readfile() either tho..! I just replaced the passthru line with

 

readfile($file);

 

Gives me exactly the same.

 

This is so annoying! Surely this is something people need to do all the time, but I'm obviously not searching for the right keywords. How do you allow a user to download a file and no-one else?

 

Link to comment
Share on other sites
doingmyheadin Newbie

doingmyheadin

Posted
  • Author
Posted

Yes, people do this all the time. Therefore, the problem is something specific you are doing and we need to know all the relevant details about what you are doing.

 

What exactly is in your .htaccess ?

 

The .htaccess in the root directory has:

 

Options +Includes

RewriteEngine on

RewriteCond %{REQUEST_FILENAME} ^.*\.php$|^.*\.html$|^.*materials.*\.pdf$|^.*materials.*\.doc$

RewriteRule ^(.*)$ master.php?REQ_URL=$1 [QSA,L]

 

master.php is the script handling all the requests.

 

The .htaccess in the "materials" folder simply has

 

deny from all

 

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The problem is that the actual HTTP request that the server receives is for materials/yourfile.ext and that is not allowed so it never gets to the url rewriting. There may be a option/switch to allow this to work, but I would recommend that you put the actual files into a folder that is not named the same as what is used in the path in the URL and then build the actual path in master.php using the actual differently named path.

Link to comment
Share on other sites
doingmyheadin Newbie

doingmyheadin

Posted
  • Author
Posted

The problem is that the actual HTTP request that the server receives is for materials/yourfile.ext and that is not allowed so it never gets to the url rewriting. There may be a option/switch to allow this to work, but I would recommend that you put the actual files into a folder that is not named the same as what is used in the path in the URL and then build the actual path in master.php using the actual differently named path.

 

Oh it checks the .htaccess in the materials folder first! Of course it does, I'm an idiot! I knew it was going to be sth stupid!

 

Thanks, PFMaBiSmAd. Much appreciated!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.