Module Uploads: avoiding direct file download from URL with apache

[blast2007]

A trivial tip to avoid direct file download via URL can be used with apache.
Simple create a new .htaccess in root directory of your documents with these rows:

Code: Select all

<Files ~ ".+">
Order allow,deny
Deny from all
Satisfy All
</Files>

Your file are protected against direct download but works fine with module Uploads.

Moreover,remember to turn off also directory browsing in all your site if you don't want to do that. (Options -Indexes in .htaccess)

Regards
blast

[applejack]

Hi I tried this by putting the .htaccess into the folder in uploads where the files are located but I could still access a file from a URL when not logged in. The URL hides the true path but the download still works. I would be grateful if you could explain further.

This is my .htaccess file.

Code: Select all

<Files ~ ".+">
Order allow,deny
Deny from all
Satisfy All
</Files>

Options -Indexes

[blast2007]

Hi applejack,

I can confirm you that this trick is working fine on my site.

You have to put this .htaccess inside the directory where you want to protect files.

Check also permission and owner of of your .htaccess, because most of the time is a permission problem

Regards
blast

[applejack]

Hi Blast

Yes the .htaccess file is in the directory which contains the files and is owned by apache.

In the .htaccess file which is in the root as I am using pretty URL's should this be where the Options -Indexes goes or in the uploads/myfolder and does it matter where it is placed i.e. above or below the etc etc

Also in the .htaccess file in root there is  the line Options +FollowSymLinks should this be kept or changed to Options -Indexes

As you can probably tell mod rewrite is not one of my strongest points !!!

[blast2007]

I'm using pretty URL on root .htaccess too and all works fine.

I'm sending you a PM with URL to visit and make some tests.

Regards
blast

[applejack]

Hi Blast

I can download the file on your system by a direct link. If I go to the page and do copy link then paste that into the address bar it downloads the file.

The link does not end in .pdf but pdf.htm

[blast2007]

I can download the file on your system by a direct link. If I go to the page and do copy link then paste that into the address bar it downloads the file.

Ok you can download it only from uploads module, not from direct link to the file.

I mean you can download files only with:

http://www.site.com/uploads/130/filename-pdf.htm

and not with:

http://www.site.com/uploads/filename.pdf

This was the mean of my trick.

Regards
blast

[applejack]

Blast

Yes that is true and it may provide some protection from search engines but not if someone just posts that link which is what I am after.

Anyhow thanks for the conversation, appreciate it.

[blast2007]

Ok I understand your request, but I think it could be achieved only with some modification to uploads module.

You can ask to module Project Admin$  ;) for this patch.

Regards
blast

[calguy1000]

Blast

Yes that is true and it may provide some protection from search engines but not if someone just posts that link which is what I am after.

Anyhow thanks for the conversation, appreciate it.

Maybe it would help to actually help if you actually described what you wanted?

Others have given solutions as to how to prevent direct access to the file by somebody guessing the path... and to ensure that everything goes through the uploads module so that users have to be members of the allowed FEU groups....  what else do you want.

it's been 2 days now, you've posted 3 replies to this thread and you really haven't given any information.

[applejack]

If a user is registered and there is a link to a file which they can download they can copy and paste that link and either pass it to someone else who is not registered or post it onto another site from which either way the file can be downloaded.

I need it so that only a user who is logged in at the time can actually download it.

Hope that make it clearer.

[calguy1000]

Uploads module already covers this on a category by category basis.

[applejack]

I know that the link to download the file is not the actual link to the category directory in uploads but if a user right clicks on the link and copies it, it can be downloaded by a non registered user if they know that link.

Try this and see if it downloads

http://cms.applejack.co.uk/uploads/110/eye2-gif/

[jmcgin51]

I know that the link to download the file is not the actual link to the category directory in uploads but if a user right clicks on the link and copies it, it can be downloaded by a non registered user if they know that link.

No, this is not true.

If an authorized user gives the uploads_url link to an unauthenticated, the unauthenticated user will not be able to access the file.

The only way the file can be directly accessed via the URL is if the user (authorized or unauthorized) somehow knows or guesses the true physical path to the file on the server.  Since Uploads (by default) does not reveal this path, this would have to be either guessed (unlikely, but possible), revealed by some sort of hack, or revealed by an admin user.

[applejack]

Hi jmcgin51

I have installed this on 4 different systems and each time an unauthenticated user is able to download the file from the uploads url. Are you able to download the file from the link above?

I have tried this on multiple browsers, platforms and deleted cookies in a browser before trying this. The only thing which I cannot test is if Uploads checks my IP address and allows me access because of that which I do not think it does.

I would really like to see an working example if you or anyone else has one.