Server Side path to store uploads from website - security

For security, I want to upload employee contracts to the hidden server side path. The upload works fine.
However, I also want to be able to download or view that file when I am logged in the front end of my website, with a seceret link. Is this possible?
Any other ideas?
Joomla website, hosted on Rack Space Cloud Sites.

Sure, upload the file to a directory outside the webroot, or a directory with a .htaccess file that contains "deny from all". Have a sql table that maps the primary key to the file name, the file's content-type and access control information and other metadata about this file. Then save the file as the primary key, so /uploads/1.
Then to download the file, burn a sql query to figure out if they should be able to download the file.
<?
//...
$q=mysql_fetch_array($q);
header("content-type: ".$q['content_type']);
print file_get_contents("./uplaods/".intval($q['id']));
?>

Related

How to prevent users from browsing certain files of my website

I have recently launched a website on GoDaddy hosting. I have keept some images and JavaScript files used in website, in separate folders. I want to prevent the users from browsing those images and files by simply appending the folder and file name in the website URL. For example
www.example.com/images/logo.png
If I understand correctly, you want to have html file with images, that shouldn't be accessible alone? If yes, then it cannot be done. You can watch for correct HTTP Referrer header, but it can be simply faked and it also makes it inaccessible for browsers that don't send referrer or having sending it forbidden for "privacy" reasons.
If you want hide files to be accessible only by server side scripts, ftp/scp, then you can try to use .htaccess (if GoDaddy runs on Apache) and correct configuration: https://httpd.apache.org/docs/2.2/howto/access.html
Another way could be hiding that files and creating one-shot token like this:
<img src=<?pseudocode GEN_TOKEN("file.jpg") ?> /> with another file serving these hidden files just for generated token, then deleting it from DB. Nevertheless, this will not protect anybody from downloading or accessing these files, if they want...
But, anyway, try to clarify your question better...
If you are keeping images/files in folder which is open to public, I guess you kept in that folder for purpose, you want public to access those images and files.
How public know images file name? Stop file content listing for your web site.
I am not aware which language you are using on web server, but in ASP.NET you may write module/ middle ware which can intercept in coming request and based on your logic (e.g. authentication and authorization) you can restrict access. All modern languages support this kind of functionality.

Getting full URL of an uploaded file deployed in local server in Primefaces

I have used p:fileUpload to upload an image. I don't really need to upload the image to the server but I just need to get the full local URL(ie.c:/.../../..) of the file(image) which is saved in the local disk, I tried but I just got the filename with the extension. This is an web application which is used locally, so both sever and client are on the same machine. The URL need to be saved in database.
For security reasons, browsers don't send the full client side file path. They only send the file contents and the file name. Ancient browsers and MSIE are the only browsers who expose the security bug of still sending the full client side file path along with the file upload. You should not be relying on this security bug in your application.
You're supposed to grab the file contents in flavor of InputStream of byte[] and write it immediately to a more permanent storage location yourself by FileOutputStream or perhaps via a #Lob to a BLOB column in DB. You can if necessary use File#createTempFile() to autogenerate an unique filename.
Note that a local disk file sytem path can't represent a valid HTTP URL which the client could use to obtain the file. Browsers like Firefox refuse to serve file:// URLs when the initial webpage itself is opened by http:// instead of file://. So you really need to serve those uploaded files back via a web server. It's recommended to just store only the file name (not full path!) in the DB. You can then configure the webserver to publish a certain folder to the web, or create a simple servlet to serve a certain folder to the web.
See also:
How to save uploaded file in JSF
How to convert Part to Blob, so I can store it in MySQL?
Load images from outside of webapps / webcontext / deploy folder using <h:graphicImage> or <img> tag

Get link to file I uploaded to DNN Website

How do I get a link to a file I have uploaded to my website?
I have uploaded a file to my website by going to Admin - File Manager then I uploaded the file to this destination *Portal Root\Pages\Customisation* how do I then get a link to the file I just uploaded?
The file is myFile.PDF so I have tried this path but it doesn't send me back the file:
http://mywebsite.com.au/Pages/Customisation/myFile.pdf
The "portal root" is typically housed in the directory "Portals/0," so the full URL would be http://mywebsite.com.au/Portals/0/Pages/Customisation/myFile.pdf. If you have multiple sites/portals within the DNN installation, that you'll need to find the ID, instead of assuming that it's 0.
There's also a small possibility that the home directory has been customized to some other directory name entirely. But you can verify the directory on the Advanced Settings tab of Site Settings, in the Page Management section.

How to protect my site user file from a website downloader

Hi suppose my site as www.xyz.com and i have a folder as _Userfile which have file uploaded by my users and if they download there file the link is www.xyz/_Userfile/userfile.doc now i want to learn this:
if some one has the link to other user file he can download it i want to solve this(privacy)
2: protect my site file from website downloader.
ASAP plz
Also i am using virtual directory to save my user files so i need a way to protect any type of file to be downloaded by any kind of software
You'll have to implement an authentication mechanism, and to serve those files through a server-side application (in PHP, Java or whatever), that checks if the authenticated user has the right to access a resource, then reads the resource from the disk and writes it to the HTTP response. The documents should be placed in a location that is not directly accessible through HTTP.
Just add index.html file in the folder _Userfile... This will prevent others accessing the whole directory listing in _UserFile folder! Simple isn't it?

Question regarding setting up a new website in htdocs folder

Today I moved my website to a new hosting company (Verio). I've done this lots of times before, and I know that your website should go inside the "htdocs" folder.
Now usually when I use FileZilla, I can do a "Right Click" on a filename to get the URL of that file. This is the result of my root default file: ftp://test#test.com/www/htdocs/Research/index.php
However, on the web, the true URL of my default file is: www.test.com/Research/index.php
My index.php file is in the website root folder. Does anyone know why FileZilla would include the server folders "www/htdocs" as part of the URL? These folders should not normally be visible to the user.
OR, is this look correct?
That ftp url is correct. Your FTP account has access to the two folders (www/htdocs/) before the document root, as most hosting providers provide.
You are also correct to assume that http access is limited to the document root. (Meaning they cannot see www/htdocs/)

Resources