Module Uploads: avoiding direct file download from URL with apache

[jmcgin51]

ahhhhhhhh, now I know what your problem is...

You have use_hierarchy turned on in your config file, correct?

Please see this bug report: http://dev.cmsmadesimple.org/bug/view/3454

[blast2007]

gotcha!

[applejack]

Well spotted jmcgin51, no wonder there was some confusion !!!

Unfortunately that creates a bit of a huge problem for a site that has been up there for a while whose pages have been indexed by search engines it is not realistic to now change use_hierarchy to false as otherwise this will generate a 404 error as well as any offline marketing etc

I have however worked out another way of making files secure.

[jmcgin51]

I have however worked out another way of making files secure.

Would you mind sharing, for the benefit of others who may need a similar solution?

[applejack]

Hi  jmcgin51

Ok my solution is to use a call to a php file in the Uploads template for the link.

Code: Select all

<a href="download.php?file={$entry->upload_name}">Link</a>

In the FEU permissions you need to check "Use cookies to keep logins alive" this will create a cookie named feu_sessionid when the user logs in.

The code for the download.php file is

Code: Select all

<?
$cookie = $_COOKIE["feu_sessionid"];
$file = $_GET["file"];

if(isset($cookie)) {
$FILES_DIR=$_SERVER[DOCUMENT_ROOT]."/uploads/my_uploads_category_directory/";
	$len = filesize($FILES_DIR.$file);
	header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
	header("Cache-Control: post-check=0, pre-check=0", false);
	header("Pragma: no-cache"); // HTTP/1.0
	header("Content-Length: $len");
	header("Content-Disposition: attachment; filename=".basename($FILES_DIR.$file));
	header('Content-Type: application/force-download');
	header('Content-Type: application/download');
	header("Content-Transfer-Encoding: binary\n");
    header("Content-Length: ".$len);
	readfile($FILES_DIR.$file);

} else {
	header("Cache-Control: no-cache, must-revalidate");
	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
	header("Location: http://".$_SERVER[SERVER_NAME]."/my_page_alias_for_not_logged_in");
}

exit;
?>

This is if there is only one Uploads category. If you need it to work for multiple categories you have to give the same name which is case sensitive as the server path and then use

Code: Select all

<a href="download.php?file={$entry->upload_name}&category={$entry->category}">Link</a>

and in the donwload.php file add and change

Code: Select all

$category = $_GET["category"];

$FILES_DIR=$_SERVER[DOCUMENT_ROOT]."/uploads/$category/my_uploads_category_directory/";

It would also be useful to include the .htaccess file in each my_uploads_category_directories and use and additional subdirectory beneath uploads and reference accordingly for additional security.

Rather than doing it this way it could of course be included in the Uploads module file action.getfile.php if edited correctly.

Hope that explains it ok and thanks to you and Blast for your input.

[jmcgin51]

thanks!!

[joshw]

Hi, we have just realised we are having the same problem on our website,

i was made aware of the issue when someone googled their name and a direct link came up to the document. does anyone one know if this has been fixed in the later versions? or will i need to take the actions that where discussed in this thread??

[applejack]

Check the bug report in the Uploads module download page.

[joshw]

sorry im new to this site, where is this section?? i have had a good look but cant find it :S

[applejack]

http://dev.cmsmadesimple.org/bug/list/9

There is an updated version of Uploads but whether or not this issue is sorted I do not know.