Can FEU module prevent deep linking of files?

Have a question or a suggestion about a 3rd party addon module or plugin?
Let us know here.
Post Reply
reinhardmohr
Forum Members
Forum Members
Posts: 97
Joined: Sun Aug 06, 2006 2:36 pm
Location: Munich, Germany

Can FEU module prevent deep linking of files?

Post by reinhardmohr »

Hi, thanks for making CMSms and for providing support here!

I am lost in a problem and I have been working on it for two days – but could not find a solution. It would be great if someone could help me – thanks!
I built a website for a customer with protected pages by Front End User module where his customers can log in and download software and brochures. Everything works fine.
But now my customer found out that everybody who can log in can copy
the download link for software or any other file and could give it away without permission.
My customer wants me to block downloads when not logged in. I tried it with htaccess file and the referrer variable but could either get blocked everything or nothing. The download link worked without being logged in – or it didn't work when logged in.
I searched around – it seems to be called "deep linking". But there is not really a working solution – being it javascript or server redirecting.
The one thing I found as a plugin (tag) in the CMSms was "Secure file download". But it was 13 years old and incomplete.

There are two modules "Download Manager" (very old) and its fork "JMDownMan". But JMDownMan seems to be made for new lists of downloads (and it still is a Release Candidat).

I was also experimenting with the tag "metadata soawbase=false" and had hoped to block absolute urls e.g. http://www.mydomain.de/downloads/file.pdf via htacces. While allowing downloads via relative links e.g. /downloads/file.pdf. Didn't work either.

Could someone help or give me a hint? This would be great!
Thanks a lot for helping
Reinhard

System info:

Code: Select all

----------------------------------------------
Cms Version: 2.2.8
Installed Modules:
	▪	AdminSearch: 1.0.4
	▪	CGExtensions: 1.61.3
	▪	CGSimpleSmarty: 2.2
	▪	CMSContentManager: 1.1.6
	▪	CMSMailer: 6.2.14
	▪	Captcha: 1.0
	▪	CmsJobManager: 0.1.3
	▪	DesignManager: 1.1.4
	▪	ExaExternalizer: 0.6
	▪	FileManager: 1.6.7
	▪	FilePicker: 1.0.3
	▪	FormBuilder: 0.8.1.6
	▪	FrontEndUsers: 2.12.2
	▪	MenuManager: 1.50.3
	▪	MicroTiny: 2.2.2
	▪	ModuleManager: 2.1.4
	▪	NMS: 2.13.2
	▪	Navigator: 1.0.9
	▪	News: 2.51.4
	▪	Search: 1.51.5
	▪	TinyMCE: 3.2-beta6

Config Information:
	▪	php_memory_limit:
	▪	max_upload_size: 96000000
	▪	url_rewriting: mod_rewrite
	▪	page_extension: .html
	▪	query_var: page
	▪	auto_alias_content: true
	▪	locale:
	▪	set_names: true
	▪	timezone: Europe/Berlin
	▪	permissive_smarty: false

Php Information:
	▪	phpversion: 7.2.29
	▪	md5_function: An (Ja)
	▪	json_function: An (Ja)
	▪	gd_version: 2
	▪	tempnam_function: An (Ja)
	▪	magic_quotes_runtime: Aus (Nein)
	▪	E_ALL: 32767
	▪	E_STRICT: 2048
	▪	E_DEPRECATED: 8192
	▪	test_file_timedifference: No time difference found
	▪	test_db_timedifference: No time difference found
	▪	create_dir_and_file: 1
	▪	memory_limit: 256M
	▪	max_execution_time: 600
	▪	register_globals: Aus (Nein)
	▪	output_buffering: 0
	▪	disable_functions: show_source, passthru, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, apache_note, apache_setenv, closelog, debugger_off, debugger_on, define_syslog_variables, openlog, syslog, popen, pclose, ini_restore, symlink, ini_alter, disk_total_space, diskfreespace, dl, backtick_operator, set_time_limit
	▪	open_basedir:
	▪	test_remote_url: Erfolgreich abgeschlossen
	▪	file_uploads: An (Ja)
	▪	post_max_size: 96M
	▪	upload_max_filesize: 96M
	▪	session_save_path: /tmp (1777)
	▪	session_use_cookies: An (Ja)
	▪	xml_function: An (Ja)
	▪	xmlreader_class: An (Ja)
	▪	check_ini_set: An (Ja)
	▪	curl: An

Performance Information:
	▪	allow_browser_cache: An (Ja)
	▪	browser_cache_expiry: 60
	▪	php_opcache: An (Ja)
	▪	smarty_cache: Aus (Nein)
	▪	smarty_compilecheck: Aus (Nein)
	▪	auto_clear_cache_age: An (Ja)
Server Information:
	▪	Server Software: Apache
	▪	Server Api: cgi-fcgi
	▪	Server Os: Linux 2.6.32-954.3.5.lve1.4.77.el6.x86_64 An x86_64
	▪	Server Db Type: MySQL (mysqli)
	▪	Server Db Version: 5.7.29
	▪	Server Db Grants: Es konnte keine „GRANT ALL“-Berechtigung gefunden werden. Dies kann bedeuten, dass Sie bei der Installation oder beim Entfernen von Modulen, oder sogar beim Hinzufügen und Löschen von Elementen, einschließlich Seiten, Probleme haben könnten.

Permission Information:
	▪	tmp: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp (0755)
	▪	tmp_cache: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp/cache (0755)
	▪	templates_c: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp/templates_c (0755)
	▪	modules: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/modules (0755)
	▪	uploads: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/uploads (0755)
	▪	Maske zum Erstellen von Dateien (umask): /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp/cache (0755)
	▪	config_file: 0444
----------------------------------------------
User avatar
Dr.CSS
Moderator
Moderator
Posts: 12678
Joined: Thu Mar 09, 2006 5:32 am
Location: Arizona

Re: Can FEU module prevent deep linking of files?

Post by Dr.CSS »

I'm not sure how FEU works now adays but you might/should be able to set those pages that have links to them as secure (must log in to see them)...
Check ver. CMSMS, PHP, server OS, in System Information page.
Default content http://multiintech.com/defaultcontent/
People are Wonderful
Business is Great
Life is Terrific
Ever wonder what happened to the Album module? Well it is alive and well.
http://album.multiintech.com/
Image
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1079
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: Can FEU module prevent deep linking of files?

Post by DIGI3 »

The Uploads module has some options for obfuscating file download links, but is not a totally secure option. Having a non-shareable file download link usually requires something fairly sophisticated and may not be possible with off the shelf modules.
Not getting the answer you need? CMSMS support options
User avatar
rotezecke
Power Poster
Power Poster
Posts: 372
Joined: Fri Apr 18, 2008 9:34 pm
Location: Nimbin, Australia

Re: Can FEU module prevent deep linking of files?

Post by rotezecke »

i put files that i don't want to share outside the webroot, hence they cannot be linked to.

here's a PHP script that lists all the subfolders and files in those subfolders inside a directory named employees, but the link points to a script and the file and path are query variables. there are probably better ways to do this, but that was a quick n dirty that still works many years later :) so no need to review

Code: Select all

$path = DIR_FS_BELOW_ROOT . 'employees/';

//this randomly arranges directories, hence we need to loop twice
$dir = new DirectoryIterator($path);
//primer
$dirArray = array();

foreach ($dir as $fileinfo) {
	//only directories
    if ($fileinfo->isDir() && !$fileinfo->isDot()) {
		//we need to collect all dirs first
		$dirArray[] = $fileinfo->getFilename();
    } 
}
//then reverse sort the dirs
arsort($dirArray);
//and use the sorted array
foreach($dirArray as $currrentDir) 
{
	echo '<div class="clearb ltp"><strong>'.str_replace('_',' ',$currrentDir).'</strong></div>';
	
	$files = array_diff(scandir($path.'/'.$currrentDir), array('.', '..'));
	if (!empty($files)) {
		echo '<ul class="dotlist">';
		foreach ($files as $file) {
			echo '<li><a href="employee_verify.php?file='.rawurlencode($file).'&dir='.urlencode($currrentDir).'" class="pdf">'.$file.'</a></li>';
		}
		echo '</ul>';
	}
}
on the page with that script (in my case yet another plain php page employee_verify.php) you can do your authentication with FEU, and call a UDT or plugin to load the files. Mind you in my case these files are probably all PDFs.

Code: Select all

	if (!empty($_GET['file']) && !empty($_GET['dir'])){
		$file = filter_input(INPUT_GET, 'file', FILTER_SANITIZE_STRING);
		$dir = filter_input(INPUT_GET, 'dir', FILTER_SANITIZE_STRING);
		
		$file_path = DIR_FS_BELOW_ROOT . 'employees/'.$dir.'/';
		

		if (file_exists($file_path.$file)) {
			header('Content-Description: File Transfer');
			header('Content-Type: application/octet-stream');
			header('Content-Disposition: attachment; filename="'.basename($file).'"'); //file name may contain spaces, 
			header('Content-Transfer-Encoding: binary');
			header('Expires: 0');
			header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
			header('Pragma: public');
			header('Content-Length: ' . filesize($file_path.$file));
			ob_clean();
			flush();
			readfile($file_path.$file);
			exit;
		}

	}
User avatar
Jo Morg
Dev Team Member
Dev Team Member
Posts: 1802
Joined: Mon Jan 29, 2007 4:47 pm

Re: Can FEU module prevent deep linking of files?

Post by Jo Morg »

JMDownMan does what you need and can scan existing directories IIRC, being a release candidate is of no consequence, it is a stable release and soon to be updated too.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Conduit | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge | Yet another blog about CMSMS
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: Can FEU module prevent deep linking of files?

Post by calguy1000 »

If users get a direct link to the file it is no longer a CMSMS thing or an FEU thing. At that point the download is handled by the web server, not your CMS. What you need is to:

a: Protect direct access to the file by either:
- moving it out of your document root to a location where the webserver cannot access it.
- adding .htaccess rules to prevent the webserver from serving the file(s).

b: Providing a URL that IS controlled by some code. it should provide additional security checks and then send the file to the user.
There are multiple ways to do this. Using a module such as Uploads, JMDownMan, or plugins such as the ones included below. It all really depends on what kind of security you need.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
reinhardmohr
Forum Members
Forum Members
Posts: 97
Joined: Sun Aug 06, 2006 2:36 pm
Location: Munich, Germany

Re: Can FEU module prevent deep linking of files?

Post by reinhardmohr »

Thanks a lot, everybody,

for helping so quickly and so comprehensively.
It will certainly take me a few days to check your suggestions – I will try and report what I found out.
@Calguy: You wrote:
plugins such as the ones included below
Did you mean the plugins I see when I do a search in the Forge? Or did I just not understand which plugins were included below where?
Sorry that I had to ask again! Thanks for caring about my problem!
reinhardmohr
Forum Members
Forum Members
Posts: 97
Joined: Sun Aug 06, 2006 2:36 pm
Location: Munich, Germany

Re: Can FEU module prevent deep linking of files?

Post by reinhardmohr »

Hi, thanks for all the information above.

@ Jo Morg:
Thanks for pointing me to JMDownMan. Yes, this would indeed be a solution. But it took me two days now to set it up and check it. And find out why I had problems getting it to work …
Probably this is not the right thread for improving JMDownMan, so I don't want to make it too long.
• There are some minor bugs. Like the save or cancel buttons in some places don't work .
• Or some settings for the imported files are only saved when repeatedly applied.
• But the big problem is that "scan existing folders" does not work at all. It produces imported files with only -1 as template name, always with a size of 2B and with missing file path – so the download link ends in "file not found" from the server.

Only when I finally tried to upload a new file (instead of scanning existing ones) it worked almost as expected (given the minor bugs from above still are here …).
So even uploading all of the files (many …) didn't work as some are too big for the server's max-upload-limit (I tried to override it with htaccess – didn't work).

Is there a professional (paid) way you could fix the problems? For now this is a requirement / a wish from my customer – but not an official project yet. So it depends a bit on the details.
I will also try out other solutions and will report them here.
Thanks Jo Morg and thanks everybody for CMSms!
Reinhard
User avatar
Jo Morg
Dev Team Member
Dev Team Member
Posts: 1802
Joined: Mon Jan 29, 2007 4:47 pm

Re: Can FEU module prevent deep linking of files?

Post by Jo Morg »

reinhardmohr wrote:Is there a professional (paid) way you could fix the problems? For now this is a requirement / a wish from my customer – but not an official project yet. So it depends a bit on the details.
Sure! PM me if you need it.
However I have JMDownMan installed on a number of sites without issues probably just not on latest PHP. So maybe a PHP version issue there? I'd need more details about that. But there are definitely solutions possible to do what you want/need.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Conduit | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge | Yet another blog about CMSMS
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
Post Reply

Return to “Modules/Add-Ons”