I have used p:fileUpload to upload an image. I don't really need to upload the image to the server but I just need to get the full local URL(ie.c:/.../../..) of the file(image) which is saved in the local disk, I tried but I just got the filename with the extension. This is an web application which is used locally, so both sever and client are on the same machine. The URL need to be saved in database.
For security reasons, browsers don't send the full client side file path. They only send the file contents and the file name. Ancient browsers and MSIE are the only browsers who expose the security bug of still sending the full client side file path along with the file upload. You should not be relying on this security bug in your application.
You're supposed to grab the file contents in flavor of InputStream of byte[] and write it immediately to a more permanent storage location yourself by FileOutputStream or perhaps via a #Lob to a BLOB column in DB. You can if necessary use File#createTempFile() to autogenerate an unique filename.
Note that a local disk file sytem path can't represent a valid HTTP URL which the client could use to obtain the file. Browsers like Firefox refuse to serve file:// URLs when the initial webpage itself is opened by http:// instead of file://. So you really need to serve those uploaded files back via a web server. It's recommended to just store only the file name (not full path!) in the DB. You can then configure the webserver to publish a certain folder to the web, or create a simple servlet to serve a certain folder to the web.
See also:
How to save uploaded file in JSF
How to convert Part to Blob, so I can store it in MySQL?
Load images from outside of webapps / webcontext / deploy folder using <h:graphicImage> or <img> tag
Related
I have recently launched a website on GoDaddy hosting. I have keept some images and JavaScript files used in website, in separate folders. I want to prevent the users from browsing those images and files by simply appending the folder and file name in the website URL. For example
www.example.com/images/logo.png
If I understand correctly, you want to have html file with images, that shouldn't be accessible alone? If yes, then it cannot be done. You can watch for correct HTTP Referrer header, but it can be simply faked and it also makes it inaccessible for browsers that don't send referrer or having sending it forbidden for "privacy" reasons.
If you want hide files to be accessible only by server side scripts, ftp/scp, then you can try to use .htaccess (if GoDaddy runs on Apache) and correct configuration: https://httpd.apache.org/docs/2.2/howto/access.html
Another way could be hiding that files and creating one-shot token like this:
<img src=<?pseudocode GEN_TOKEN("file.jpg") ?> /> with another file serving these hidden files just for generated token, then deleting it from DB. Nevertheless, this will not protect anybody from downloading or accessing these files, if they want...
But, anyway, try to clarify your question better...
If you are keeping images/files in folder which is open to public, I guess you kept in that folder for purpose, you want public to access those images and files.
How public know images file name? Stop file content listing for your web site.
I am not aware which language you are using on web server, but in ASP.NET you may write module/ middle ware which can intercept in coming request and based on your logic (e.g. authentication and authorization) you can restrict access. All modern languages support this kind of functionality.
My website has some of its files temporarly saved in the web browser cache.
Concerning CSS and images files, no problem but for some files it's a real security issue.
Is there a way to prevent some files from :
- being downloaded from the cache ?
- being visible in the cache ?
or crypt them maybe
Thanks.
David
Well you can configure your webserver so it sends certain http headers for certain file types such as javascript. For example for Apache web server we can use mod_expires module.
Another option is to add a random string to the end of each file that should not be cached by the web browser. for example the file script_name.js can be server as script_name.js?somerandomstring
For security, I want to upload employee contracts to the hidden server side path. The upload works fine.
However, I also want to be able to download or view that file when I am logged in the front end of my website, with a seceret link. Is this possible?
Any other ideas?
Joomla website, hosted on Rack Space Cloud Sites.
Sure, upload the file to a directory outside the webroot, or a directory with a .htaccess file that contains "deny from all". Have a sql table that maps the primary key to the file name, the file's content-type and access control information and other metadata about this file. Then save the file as the primary key, so /uploads/1.
Then to download the file, burn a sql query to figure out if they should be able to download the file.
<?
//...
$q=mysql_fetch_array($q);
header("content-type: ".$q['content_type']);
print file_get_contents("./uplaods/".intval($q['id']));
?>
Hi suppose my site as www.xyz.com and i have a folder as _Userfile which have file uploaded by my users and if they download there file the link is www.xyz/_Userfile/userfile.doc now i want to learn this:
if some one has the link to other user file he can download it i want to solve this(privacy)
2: protect my site file from website downloader.
ASAP plz
Also i am using virtual directory to save my user files so i need a way to protect any type of file to be downloaded by any kind of software
You'll have to implement an authentication mechanism, and to serve those files through a server-side application (in PHP, Java or whatever), that checks if the authenticated user has the right to access a resource, then reads the resource from the disk and writes it to the HTTP response. The documents should be placed in a location that is not directly accessible through HTTP.
Just add index.html file in the folder _Userfile... This will prevent others accessing the whole directory listing in _UserFile folder! Simple isn't it?
I have a folder in my web server used for the users to upload photos using an ASP page.
Is it safe enough to give IUSR write permissions to the folder? Must I secure something else?
I am afraid of hackers bypassing the ASP page and uploading content directly to the folder.
I'm using ASP classic and IIS6 on Windows 2003 Server. The upload is through HTTP, not FTP.
Edit: Changing the question for clarity and changing my answers as comments.
also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.
In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.
Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.
How will the user upload the photos? If you are writing an ASP page to accept the uploaded files then only the user that IIS runs as will need write permission to the folder, since IIS will be doing the file I/O. Your ASP page should check the file size and have some form of authentication to prevent hackers from filling your hard drive.
If you are setting up an FTP server or some other file transfer method, then the answer will be specific to the method you choose.
You'll have to grant write permissions, but you can check the file's mime type to ensure an image. You can use FSO as so:
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.GetFile("upload.jpg")
'image mime types or image/jpeg or image/gif, so just check to see if "image" is instr
if instr(f.type, "image") = 0 then
f.delete
end if
set f=nothing
set fs=nothing
Also, most upload COM objects have a type property that you could check against before writing the file.
Your best bang for the buck would probably be to use an upload component (I've used ASPUpload) that allows you to upload/download files from a folder that isn't accessible from the website.
You'll get some authentication hooks and won't have to worry about someone casually browsing the folder and downloading the files (or uploading in your case), since the files are only available through the component.