Jump to content
Sign in to follow this  
phppbo

access files placed outside of the site root?

Recommended Posts

I have some files saved outside the webroot and need to allow posts in WordPress to be able to access the files.

Following is the location of one of the files:

/home1/Mathone/TESTS/Test1/index1.html

I created a Download.php file with the following code and saved it to public_html of my site:

<?php
$path
= '/home1/Mathone/TESTS/'. $_GET['filename'];
$mm_type="application/octet-stream";
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Type: " . $mm_type);
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.basename($path).'"');
header("Content-Transfer-Encoding: binary\n");
readfile($path); // outputs the content of the file
exit();
?>

Next, I created a post in wordpress with the following link:

<a href="www.mysite.com/download.php?filename=Test1/index1.html">download</a>

I am getting an error

This is somewhat embarrassing, isn’t it?

It seems we can’t find what you’re looking for. Perhaps searching can help.

Can anyone tell me what I am doing wrong? Thank you

Share this post


Link to post
Share on other sites

You let me download any file from your server? Cool, let's start with your passwords.

 

Guys, please think before you write code. We already have enough of Wordpress vulnerabilities, no need for a new one. If you don't know how to write proper code, then don't write any code at all. Use a plugin, hire somebody or whatever.

  • Like 1

Share this post


Link to post
Share on other sites

I forgot to mention that I am a newbie. I found this code on the internet somewhere and was trying to make it work. I guess, no more php coding for me. 

 

Since that is out of the way, one more related question then -  what I was trying to do with the above code was to prevent direct url access to my files. Based on what I have read on several forums, it is best to move the files outside of the root directory to prevent hotlinking and direct access. 

 

Do you have any recommendations on how to make the files available for paid members only on my site? I am planning on using either memberpress or membermouse as the membership plugin. 

 

I have looked at Wordpress Download Manager, WP Document Revisions, etc but they don't work for me as each of my courses is saved into multiple files in a data folder  and a .html file that refers to all the files in the data folder. 

 

Thanks. 

Share this post


Link to post
Share on other sites

I guess, no more php coding for me. 

 

Keep on coding, but just don't write a banking app until you know more.

 

Typically, files not meant for public viewing are kept under the HTML root, or within it but protected using the webserver (apache, etc).  I don't see any reason to go the later path, and would put them under the root.

 

Regardless, you use your application to restrict access to the download function, and either use PHP's readfile() or Apache's (assuming you are using apache) X-Sendfile module to download them.

 

You need to be careful to prevent the user from accessing files which you do not wish them to.  For instance, look at this line.  What if I used the URL which made filename equal to ../../yourpasswords?  Not ideal :(

$path = '/home1/Mathone/TESTS/'. $_GET['filename'];

Share this post


Link to post
Share on other sites

I disagree. Typically files not meant for public viewing would NOT be placed under the document root. That's how you keep them from being viewed with a browser and a hijacked form

Share this post


Link to post
Share on other sites

I disagree. Typically files not meant for public viewing would NOT be placed under the document root. That's how you keep them from being viewed with a browser and a hijacked form

 

Please elaborate.  When I said "under", I mean beneath and and not in the document root.

Share this post


Link to post
Share on other sites

Under the document root is still in the web-accessible tree. If you don't want a browser to see or hack into something with http you put it outside the web tree.

Share this post


Link to post
Share on other sites

I guess I always viewed the tree upside down and didn't even realize it.

/
/var/
/var/www/
/var/www/html/someAccessibleDirectory/
/var/www/someDirectoryUndertheRoot/

Share this post


Link to post
Share on other sites

if www is your web root then all of those folders except / are "web-accessible"

 

Now - if you had this

 

/

/var/

/var/www/

/var/www/html/someAccessibleDirectory/

/var/www/someDirectoryUndertheRoot/

/var/php

/var/php/inc

/var/php/scripts

 

 

All of the /var/php folders are NOT web-accessible and that is where you would store things you described. Same with the /var folder obviously.

Share this post


Link to post
Share on other sites

Yea, I know.  The problem was with my poor naming convention of under/over.  I use Redhat/Centos who's default is /var/www/html/ as the Apache root.  As such, I typically put files related to the website but not web accessible (my php script and private documents) in /var/www/, and either put a single index.php or symbolic link in /var/www/html/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.