Can FEU module prevent deep linking of files?

[reinhardmohr]

Hi, thanks for making CMSms and for providing support here!

I am lost in a problem and I have been working on it for two days – but could not find a solution. It would be great if someone could help me – thanks!
I built a website for a customer with protected pages by Front End User module where his customers can log in and download software and brochures. Everything works fine.
But now my customer found out that everybody who can log in can copy
the download link for software or any other file and could give it away without permission.
My customer wants me to block downloads when not logged in. I tried it with htaccess file and the referrer variable but could either get blocked everything or nothing. The download link worked without being logged in – or it didn't work when logged in.
I searched around – it seems to be called "deep linking". But there is not really a working solution – being it javascript or server redirecting.
The one thing I found as a plugin (tag) in the CMSms was "Secure file download". But it was 13 years old and incomplete.

There are two modules "Download Manager" (very old) and its fork "JMDownMan". But JMDownMan seems to be made for new lists of downloads (and it still is a Release Candidat).

I was also experimenting with the tag "metadata soawbase=false" and had hoped to block absolute urls e.g. http://www.mydomain.de/downloads/file.pdf via htacces. While allowing downloads via relative links e.g. /downloads/file.pdf. Didn't work either.

Could someone help or give me a hint? This would be great!
Thanks a lot for helping
Reinhard

System info:

Code: Select all

----------------------------------------------
Cms Version: 2.2.8
Installed Modules:
	▪	AdminSearch: 1.0.4
	▪	CGExtensions: 1.61.3
	▪	CGSimpleSmarty: 2.2
	▪	CMSContentManager: 1.1.6
	▪	CMSMailer: 6.2.14
	▪	Captcha: 1.0
	▪	CmsJobManager: 0.1.3
	▪	DesignManager: 1.1.4
	▪	ExaExternalizer: 0.6
	▪	FileManager: 1.6.7
	▪	FilePicker: 1.0.3
	▪	FormBuilder: 0.8.1.6
	▪	FrontEndUsers: 2.12.2
	▪	MenuManager: 1.50.3
	▪	MicroTiny: 2.2.2
	▪	ModuleManager: 2.1.4
	▪	NMS: 2.13.2
	▪	Navigator: 1.0.9
	▪	News: 2.51.4
	▪	Search: 1.51.5
	▪	TinyMCE: 3.2-beta6

Config Information:
	▪	php_memory_limit:
	▪	max_upload_size: 96000000
	▪	url_rewriting: mod_rewrite
	▪	page_extension: .html
	▪	query_var: page
	▪	auto_alias_content: true
	▪	locale:
	▪	set_names: true
	▪	timezone: Europe/Berlin
	▪	permissive_smarty: false

Php Information:
	▪	phpversion: 7.2.29
	▪	md5_function: An (Ja)
	▪	json_function: An (Ja)
	▪	gd_version: 2
	▪	tempnam_function: An (Ja)
	▪	magic_quotes_runtime: Aus (Nein)
	▪	E_ALL: 32767
	▪	E_STRICT: 2048
	▪	E_DEPRECATED: 8192
	▪	test_file_timedifference: No time difference found
	▪	test_db_timedifference: No time difference found
	▪	create_dir_and_file: 1
	▪	memory_limit: 256M
	▪	max_execution_time: 600
	▪	register_globals: Aus (Nein)
	▪	output_buffering: 0
	▪	disable_functions: show_source, passthru, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, apache_note, apache_setenv, closelog, debugger_off, debugger_on, define_syslog_variables, openlog, syslog, popen, pclose, ini_restore, symlink, ini_alter, disk_total_space, diskfreespace, dl, backtick_operator, set_time_limit
	▪	open_basedir:
	▪	test_remote_url: Erfolgreich abgeschlossen
	▪	file_uploads: An (Ja)
	▪	post_max_size: 96M
	▪	upload_max_filesize: 96M
	▪	session_save_path: /tmp (1777)
	▪	session_use_cookies: An (Ja)
	▪	xml_function: An (Ja)
	▪	xmlreader_class: An (Ja)
	▪	check_ini_set: An (Ja)
	▪	curl: An

Performance Information:
	▪	allow_browser_cache: An (Ja)
	▪	browser_cache_expiry: 60
	▪	php_opcache: An (Ja)
	▪	smarty_cache: Aus (Nein)
	▪	smarty_compilecheck: Aus (Nein)
	▪	auto_clear_cache_age: An (Ja)
Server Information:
	▪	Server Software: Apache
	▪	Server Api: cgi-fcgi
	▪	Server Os: Linux 2.6.32-954.3.5.lve1.4.77.el6.x86_64 An x86_64
	▪	Server Db Type: MySQL (mysqli)
	▪	Server Db Version: 5.7.29
	▪	Server Db Grants: Es konnte keine „GRANT ALL“-Berechtigung gefunden werden. Dies kann bedeuten, dass Sie bei der Installation oder beim Entfernen von Modulen, oder sogar beim Hinzufügen und Löschen von Elementen, einschließlich Seiten, Probleme haben könnten.

Permission Information:
	▪	tmp: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp (0755)
	▪	tmp_cache: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp/cache (0755)
	▪	templates_c: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp/templates_c (0755)
	▪	modules: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/modules (0755)
	▪	uploads: /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/uploads (0755)
	▪	Maske zum Erstellen von Dateien (umask): /var/www/vhosts/7/140335/webspace/httpdocs/carecom-solutions.com/tmp/cache (0755)
	▪	config_file: 0444
----------------------------------------------

[Dr.CSS]

I'm not sure how FEU works now adays but you might/should be able to set those pages that have links to them as secure (must log in to see them)...

[DIGI3]

The Uploads module has some options for obfuscating file download links, but is not a totally secure option. Having a non-shareable file download link usually requires something fairly sophisticated and may not be possible with off the shelf modules.

[rotezecke]

i put files that i don't want to share outside the webroot, hence they cannot be linked to.

here's a PHP script that lists all the subfolders and files in those subfolders inside a directory named employees, but the link points to a script and the file and path are query variables. there are probably better ways to do this, but that was a quick n dirty that still works many years later :) so no need to review

Code: Select all

$path = DIR_FS_BELOW_ROOT . 'employees/';

//this randomly arranges directories, hence we need to loop twice
$dir = new DirectoryIterator($path);
//primer
$dirArray = array();

foreach ($dir as $fileinfo) {
	//only directories
    if ($fileinfo->isDir() && !$fileinfo->isDot()) {
		//we need to collect all dirs first
		$dirArray[] = $fileinfo->getFilename();
    } 
}
//then reverse sort the dirs
arsort($dirArray);
//and use the sorted array
foreach($dirArray as $currrentDir) 
{
	echo '<div class="clearb ltp"><strong>'.str_replace('_',' ',$currrentDir).'</strong></div>';
	
	$files = array_diff(scandir($path.'/'.$currrentDir), array('.', '..'));
	if (!empty($files)) {
		echo '<ul class="dotlist">';
		foreach ($files as $file) {
			echo '<li><a href="employee_verify.php?file='.rawurlencode($file).'&dir='.urlencode($currrentDir).'" class="pdf">'.$file.'</a></li>';
		}
		echo '</ul>';
	}
}

on the page with that script (in my case yet another plain php page employee_verify.php) you can do your authentication with FEU, and call a UDT or plugin to load the files. Mind you in my case these files are probably all PDFs.

Code: Select all

	if (!empty($_GET['file']) && !empty($_GET['dir'])){
		$file = filter_input(INPUT_GET, 'file', FILTER_SANITIZE_STRING);
		$dir = filter_input(INPUT_GET, 'dir', FILTER_SANITIZE_STRING);
		
		$file_path = DIR_FS_BELOW_ROOT . 'employees/'.$dir.'/';
		

		if (file_exists($file_path.$file)) {
			header('Content-Description: File Transfer');
			header('Content-Type: application/octet-stream');
			header('Content-Disposition: attachment; filename="'.basename($file).'"'); //file name may contain spaces, 
			header('Content-Transfer-Encoding: binary');
			header('Expires: 0');
			header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
			header('Pragma: public');
			header('Content-Length: ' . filesize($file_path.$file));
			ob_clean();
			flush();
			readfile($file_path.$file);
			exit;
		}

	}

[Jo Morg]

JMDownMan does what you need and can scan existing directories IIRC, being a release candidate is of no consequence, it is a stable release and soon to be updated too.

[calguy1000]

If users get a direct link to the file it is no longer a CMSMS thing or an FEU thing. At that point the download is handled by the web server, not your CMS. What you need is to:

a: Protect direct access to the file by either:
- moving it out of your document root to a location where the webserver cannot access it.
- adding .htaccess rules to prevent the webserver from serving the file(s).

b: Providing a URL that IS controlled by some code. it should provide additional security checks and then send the file to the user.
There are multiple ways to do this. Using a module such as Uploads, JMDownMan, or plugins such as the ones included below. It all really depends on what kind of security you need.

[reinhardmohr]

Thanks a lot, everybody,

for helping so quickly and so comprehensively.
It will certainly take me a few days to check your suggestions – I will try and report what I found out.
@Calguy: You wrote:

plugins such as the ones included below

Did you mean the plugins I see when I do a search in the Forge? Or did I just not understand which plugins were included below where?
Sorry that I had to ask again! Thanks for caring about my problem!

[reinhardmohr]

Hi, thanks for all the information above.

@ Jo Morg:
Thanks for pointing me to JMDownMan. Yes, this would indeed be a solution. But it took me two days now to set it up and check it. And find out why I had problems getting it to work …
Probably this is not the right thread for improving JMDownMan, so I don't want to make it too long.
• There are some minor bugs. Like the save or cancel buttons in some places don't work .
• Or some settings for the imported files are only saved when repeatedly applied.
• But the big problem is that "scan existing folders" does not work at all. It produces imported files with only -1 as template name, always with a size of 2B and with missing file path – so the download link ends in "file not found" from the server.

Only when I finally tried to upload a new file (instead of scanning existing ones) it worked almost as expected (given the minor bugs from above still are here …).
So even uploading all of the files (many …) didn't work as some are too big for the server's max-upload-limit (I tried to override it with htaccess – didn't work).

Is there a professional (paid) way you could fix the problems? For now this is a requirement / a wish from my customer – but not an official project yet. So it depends a bit on the details.
I will also try out other solutions and will report them here.
Thanks Jo Morg and thanks everybody for CMSms!
Reinhard

[Jo Morg]

Is there a professional (paid) way you could fix the problems? For now this is a requirement / a wish from my customer – but not an official project yet. So it depends a bit on the details.

Sure! PM me if you need it.
However I have JMDownMan installed on a number of sites without issues probably just not on latest PHP. So maybe a PHP version issue there? I'd need more details about that. But there are definitely solutions possible to do what you want/need.