Secure file uploads

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Locked
phatphug

Secure file uploads

Post by phatphug »

Hi guys.

I'm totally new to CMSMS so forgive me if this is a stupid question.

I'm playing around with a new install of CMSMS to see if it would be suitable for a site I'm building.

One of the main requirements is that we have a secure area for files to be downloaded (basically to ensure that only registered users can access these files). Now, if this was a hand coded PHP site I would place the files above the public_html directory (so that the files are not accessible by a direct http url).

So, my question is... Can I do the same with the uploads directory?
I notice that config.php has a 'uploads_path' and 'uploads_url'. In my case however, there wouldn't be a valid uploads_url (as the directory is not directly accessible).

thanks
Top
jmcgin51
Power Poster
Power Poster
Posts: 1899
Joined: Mon Jun 12, 2006 9:02 pm

Re: Secure file uploads

Post by jmcgin51 »

The Uploads module creates an encoded URL like this:
http://www.mysites.com/index.php?mact=U ... 24&page=24

or if pretty URLs and use_hierarchy are turned on, something like this:
http://www.mysite.com/uploads/93/filename-ext.php

When a user attempts to access a file via this produced URL, Uploads checks to see if the user is a member of a group that is authorized to view the file (as specified by an admin in the Uploads category configuration).

However, if a user somehow knows/guesses the direct URL to the file:
http://www.mysite.com/uploads/full/path ... lename.xyz
there is no protection.

See also this thread:
http://forum.cmsmadesimple.org/index.ph ... 297.0.html
Top
Locked

Return to “CMSMS Core”