Page 2 of 2
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jun 04, 2009 2:14 pm
by jmcgin51
ahhhhhhhh, now I know what your problem is...
You have use_hierarchy turned on in your config file, correct?
Please see this bug report:
http://dev.cmsmadesimple.org/bug/view/3454
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jun 04, 2009 2:18 pm
by blast2007
gotcha!
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jun 04, 2009 3:08 pm
by applejack
Well spotted jmcgin51, no wonder there was some confusion !!!
Unfortunately that creates a bit of a huge problem for a site that has been up there for a while whose pages have been indexed by search engines it is not realistic to now change use_hierarchy to false as otherwise this will generate a 404 error as well as any offline marketing etc
I have however worked out another way of making files secure.
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jun 04, 2009 3:17 pm
by jmcgin51
applejack wrote:
I have however worked out another way of making files secure.
Would you mind sharing, for the benefit of others who may need a similar solution?
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jun 04, 2009 4:19 pm
by applejack
Hi jmcgin51
Ok my solution is to use a call to a php file in the Uploads template for the link.
Code: Select all
<a href="download.php?file={$entry->upload_name}">Link</a>
In the FEU permissions you need to check "Use cookies to keep logins alive" this will create a cookie named feu_sessionid when the user logs in.
The code for the download.php file is
Code: Select all
<?
$cookie = $_COOKIE["feu_sessionid"];
$file = $_GET["file"];
if(isset($cookie)) {
$FILES_DIR=$_SERVER[DOCUMENT_ROOT]."/uploads/my_uploads_category_directory/";
$len = filesize($FILES_DIR.$file);
header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache"); // HTTP/1.0
header("Content-Length: $len");
header("Content-Disposition: attachment; filename=".basename($FILES_DIR.$file));
header('Content-Type: application/force-download');
header('Content-Type: application/download');
header("Content-Transfer-Encoding: binary\n");
header("Content-Length: ".$len);
readfile($FILES_DIR.$file);
} else {
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Location: http://".$_SERVER[SERVER_NAME]."/my_page_alias_for_not_logged_in");
}
exit;
?>
This is if there is only one Uploads category. If you need it to work for multiple categories you have to give the same name which is case sensitive as the server path and then use
Code: Select all
<a href="download.php?file={$entry->upload_name}&category={$entry->category}">Link</a>
and in the donwload.php file add and change
Code: Select all
$category = $_GET["category"];
$FILES_DIR=$_SERVER[DOCUMENT_ROOT]."/uploads/$category/my_uploads_category_directory/";
It would also be useful to include the .htaccess file in each my_uploads_category_directories and use and additional subdirectory beneath uploads and reference accordingly for additional security.
Rather than doing it this way it could of course be included in the Uploads module file action.getfile.php if edited correctly.
Hope that explains it ok and thanks to you and Blast for your input.
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jun 04, 2009 6:14 pm
by jmcgin51
thanks!!
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jul 09, 2009 4:41 pm
by joshw
Hi, we have just realised we are having the same problem on our website,
i was made aware of the issue when someone googled their name and a direct link came up to the document. does anyone one know if this has been fixed in the later versions? or will i need to take the actions that where discussed in this thread??
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Thu Jul 09, 2009 5:09 pm
by applejack
Check the bug report in the Uploads module download page.
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Fri Jul 10, 2009 7:25 am
by joshw
sorry im new to this site, where is this section?? i have had a good look but cant find it :S
Re: Module Uploads: avoiding direct file download from URL with apache
Posted: Fri Jul 10, 2009 9:00 am
by applejack
http://dev.cmsmadesimple.org/bug/list/9
There is an updated version of Uploads but whether or not this issue is sorted I do not know.