Jump to content


Security and PDF files

pdf security

  • Please log in to reply
2 replies to this topic

#1 sf_guy

  • Members
  • PipPip
  • Member
  • 23 posts

Posted 17 May 2013 - 04:38 PM

All of my PHP files are secured by session checks, but I've found a possible security problem and am looking for ideas of how to fix it.


Several of my PHP pages are custom built by the end user dropping files into a directory (write access to this directory is restricted).


My PHP code recursively walks through the directory and builds links to all of the files there. It also strips the extension. The users give the files logical names so the links look good.


For example, if they put "How to Fish.docx" into the subdirectory "Fishing" the end HTML code, generated by PHP will look something like this:

<a href="How%20to%20Fish.docx" target="_blank">How to 



The security problem is that they can now make a direct link to the "How to Fish" document and save it as a favorite and bypass all security checking done by the PHP pages.


Is it possible to write some type of "trigger" code that will launch the PHP login page whenever a user tries to access a page in a certain directory? I've seen web sites that do this, but am not quite sure how.


Is there another, simpler solution? Thanks!

Edited by sf_guy, 17 May 2013 - 04:51 PM.

#2 requinix

  • Administrators
  • Lazy Administrator
  • 9,254 posts
  • LocationWA

Posted 17 May 2013 - 05:20 PM

Move the files someplace not web accessible and then make a PHP script which reads and outputs them.
<a href="download.php?file=How%20to%20Fish.docx" target="_blank">How to Fish</a>
Be sure to validate that file name: doesn't contain any directory information, file exists, etc. readfile is one way to output them, as in
header("Content-Type: application/octet-stream");
header("Content-Length: " . filesize($file));
header("Content-Disposition: attachment; filename=\"" . basename($file) . "\"");
Once that's done you can make the URLs look nicer (if that's a concern) with URL rewriting.
The Reimann Zeta Function Trolley Problem | "Summer is when I, the great ice fairy, can show my true power!"

#3 ignace

  • Moderators
  • Now mod flavored
  • 6,419 posts
  • LocationBelgium

Posted 18 May 2013 - 07:06 AM

Be sure to validate that file name: doesn't contain any directory information, file exists, etc. readfile is one way to output them

By that he means make sure the following and any derivatives thereof does not work:
download.php?file=download.php <-- should NOT work
The reason being that it could compromise your website and allow hackers to download sensitive information.

Edited by ignace, 18 May 2013 - 07:09 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users