Jump to content


Photo

security: access files behind public_html


  • Please log in to reply
8 replies to this topic

#1 trillion

trillion
  • Members
  • PipPipPip
  • Advanced Member
  • 41 posts

Posted 16 October 2006 - 06:47 AM

I have often read to place upload directories(any directory with chmod 0777)
behind the www root(pulic_html in my case)

I understand the reasoning and would like my server to be as secure as possible but I also want to access the files uploaded via php for display. Is there something I am missing here? It seems uploaded files/directories are concidered safe when behind public_html because they are not accessible. Is there a method to still access these files from a browser?

#2 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 16 October 2006 - 07:25 AM

PHP can include files from above the web root just as it can below.  there is no difference, except that you need to specify how many directories to go up in the tree.  web users will not be able to access them, but PHP can serve them up from there.  as long as you code a PHP page to include the file you want, you can access it from the browser; you just can't access them directly.

any specific cases you're asking about?

#3 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 16 October 2006 - 07:44 AM

Use safe_mode then.

Or, I'm not sure, but maybe if you use Linux you could chroot Apache to "jail" it inside it's own directories.

#4 xsist10

xsist10
  • Members
  • PipPipPip
  • Advanced Member
  • 114 posts

Posted 16 October 2006 - 09:09 AM

You could set up a .htaccess file in the folder you wish to store these files. The .htaccess file can demand a password before giving you access to the folder.

http://httpd.apache....ccess.html#auth
SA PHP Archives - www.phparchives.za.org

#5 trillion

trillion
  • Members
  • PipPipPip
  • Advanced Member
  • 41 posts

Posted 17 October 2006 - 02:11 AM

One specific case:

A form uploads an mp3 file say to a folder called music that is directly above public_html
then a php page plays the mp3 like

home/music/mp3
home/public_html/player.php

how do I access the mp3 file. Do I set an absolute path as variable some place?

I have tried with a basic html embed tag and file path as "../music/mp3" but this is not working. of course a URL will not work and I guess that is why the above path fails because it is a URL but how to access the mp3 with an absolute path for display?


#6 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 17 October 2006 - 02:35 AM

while i've never used embed, for images you can source to a PHP file:

<embed src="get_mp3.php?file=filename" />

get_mp3.php would probably look something like this:

<?php

$file_location = '../music/'.$_GET['filename'];

// exit if the file doesn't exit
if (!is_file($file_location))
{
  exit;
}

// try to open and read the file, exit if it can't be opened
$handle = @fopen($file_location, 'r');
if ($handle !== FALSE)
{
  $contents = @fread($handle, filesize($file_location));
  fclose($handle);
}
else
{
  exit;
}

// spit out the file contents, provided they're not empty
if (!empty($contents))
{
  echo $contents;
}

?>

i can't tell you for sure whether this will work, but the analogous method for sourcing images above the root to a PHP file works.

#7 trillion

trillion
  • Members
  • PipPipPip
  • Advanced Member
  • 41 posts

Posted 17 October 2006 - 07:31 AM

then could a malicious file uploaded get access the same way?

#8 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 17 October 2006 - 07:38 AM

well generally a malicious file could be accessed just like any other file because it is exactly that - a file.  however by using PHP to echo its contents you're less likely to cause the harm that would result from a user directly downloading and running the file, because you're controlling the circumstances under which the file's contents are being used.  here you're embedding the content, you could be using the content as an image source, etc.

that being said, a malicious file can always cause damage if it's been written properly and knows how it will be used, no matter where it is.  at least this way outside users cannot directly access it and you control how it is handled.

#9 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 17 October 2006 - 08:03 AM

if a user is able to upload a PHP file, then your MP3's will only be one of your worries, so always important to filter ANYTHING that a user can send to your server (get/post/cookie/files).

what akitchen stated in his example will do the job nicely, however it just needs for you to send the correct header before echo'ing the contents. not sure what the MIME type is for MP3's (i think it has a few variations) but i always personally grab the MIME type from the $_FILES array when a user uploads the file and store it all in my database, and then:

<?php
header("Content-type: $mimetype");
echo $contents;
?>

so in the event of a JPEG, it might be translated to: header("Content-type: image/jpeg")

it takes a bit of fiddling to get it working for all sorts, but it's definitely a much safer way than storing anything in your web root.
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users