bugs unauthorized users access pdf files knowing the link

[onoehring]

Hi facos,

I just saw your posting by accident.
as this thread holds actually more than one solution, maybe you could exactly pinpoint which solution you are using - thus which one is not working (anymore for you).
The last solution is using standard AG libraries and login-check. If the script IS broken, I suppose it should be quite easy to fix as the rest is very simple and does not reply on AG but Apache and basic htaccess.

Olaf

[facos79]

Hello,
the solution that no longer works is the following:

Code: Select all

RewriteEngine on
RewriteRule .* protect.php

e

Code: Select all

<?php

	define('PREPEND_PATH', '../');
	$hooks_dir = dirname(__FILE__);
	include("$hooks_dir/../defaultLang.php");
	include("$hooks_dir/../language.php");
	include("$hooks_dir/../lib.php");
	
	/* grant access to the groups 'Admins' and 'Other'*/
	$mi = getMemberInfo();
	if(!in_array($mi['group'], array('Admins', 'Other'))){
		header("location: /");
		exit;
	} else {
        //Check if user has right to access the file. If no, show access denied and exit the script.
        $path = $_SERVER['REQUEST_URI'];
        $paths = explode('/', $path);
        $lastIndex = count($paths) - 1;
        $fileName = $paths[$lastIndex];
        header('Content-type: application/pdf');
        header("Content-Disposition: inline; filename=$fileName");
        readfile($fileName);
    }

I think that, nowadays, appgini should protect themselves without additional codes all the folders where photos and documents are saved. The function is essential for the apps created to be safe. Unfortunately, those who do not know how to program rely on software as appgini to be able to realize what would be impossible to achieve. The safety of the finished product is essential. In this case the folder containing the uploads can be accessed by knowing the download link. It should be blocked from unwanted access and above all from access by users who are not logged in.
I find Appgini to be great software and I hope a security solution will be integrated in the future.

[onoehring]

Hi,

maybe your provider changed something (Apache version). Try the other .htaccess which I have shown here (this thread): viewtopic.php?f=11&t=2856#p15242
Maybe this does the trick already.

Also it might help to see what happens internally so, why the permissions check fails. You should try to enable php error reporting. Just google how to do it (example: https://phoenixnap.com/kb/php-error-reporting ). Afterwards access a file in the "protected" folder and see if any errors occur.

Olaf

[AhmedBR]

PHP 7.4 it works, everything seems to work very well with 7.4
Seems I am stuck with 7.4 for a while, protecting files is essential.

PHP 8.1.4 does not work, 8.0+ is giving me headaches!

[SkayyHH]

Hi,

it doesn't work for me anymore with a newer PHP version either.

Does anyone have another solution to protect the directory with the documents?

Thank you very much,

Kai

[facos79]

HI,
unfortunately I have a problem:
the code works correctly and blocks the opening of images or documents if the user is not logged in.
But I can't view the images when I click on them to enlarge them (see attached photo).
I use the latest version of appgini 24.12 revision 1612 and version PHP Version 8.3.3.

How can I solve the problem?
The documents, however, since they do not have a preview, are downloaded regularly.

Thanks for your help

Hi Zala,

I do not understand. In my post above ( viewtopic.php?p=13800#p11378 ) there the script checks the filetype and arranges the header for download as needed.
Besides, the original ( posting.php?mode=reply&f=11&t=2856#pr9355 ) should work for all filetypes anyways - just giving a wrong header - which I believe - the browser will correct (and allow access to the file if the user is logged in).
You may try to remove the two header lines

Code: Select all

        header('Content-type: application/pdf');
        header("Content-Disposition: inline; filename=$fileName");

which should download an unspecified filetype.

Or ... try a combination of both:
protect.php (not tested):

Code: Select all

<?php
//initial source: https://forums.appgini.com/phpbb/viewtopic.php?t=2856#p9355
// version: 2019-10-29 15:00:00 (adjusted for admin group 2020-06-22)
// Olaf Noehring, https://datenbank-projekt.de

define('PREPEND_PATH', '../');
$hooks_dir = dirname(__FILE__);
include("$hooks_dir/../defaultLang.php");
include("$hooks_dir/../language.php");
include("$hooks_dir/../lib.php");

/* grant access to the groups 'Admins' and 'Other'*/
	$mi = getMemberInfo();
	if(!in_array($mi['group'], array('Admins', 'Other'))){
		header("location: /");
		exit;
	} else {

    $path = $_SERVER['REQUEST_URI'];
    $paths = explode('/', $path);
    $lastIndex = count($paths) - 1;
    $fileName = $paths[$lastIndex];
    $extension = strtolower(substr(strrchr($path, "."), 1));

    $fname = __DIR__."/".$fileName;

    switch ($extension){
        case "pdf":
            header('Content-type: application/pdf');
            break;
        
        case "jpg":
            header('Content-Type: image/jpeg');
            break;

        case "jpeg":
            header('Content-Type: image/jpeg');
            break;            

        case "png":
            header('Content-Type: image/png');
            break;

        default:
            header('Content-type: application/pdf');
    }
    
    header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($fname)).' GMT', true, 200);
    header('Content-Length: '. filesize($fname));
    header("Content-Disposition: attachment; filename=\"" .$fileName. "\"");
    readfile($fileName);
}
?>

Olaf

[onoehring]

Hi,

are you working on localhost? I think I remember, that there could be a problem on localhost, which does not exist on a "real" server.

Olaf

[facos79]

no, I'm on a hosting server.
If I delete the code from .htaccess and protect.php the image opens normally.

[onoehring]

Hi,

currently I am having a similar problem with the zoom of images (see viewtopic.php?f=2&t=5364 ). i believe yours and mine could be connected somehow. I will let you know if I find the problem ... which I really need to solve.

Olaf

[jsetzer]

I think that, nowadays, appgini should protect themselves without additional codes all the folders where photos and documents are saved.

I absolutely agree!

Protection of uploaded files, uploaded via built-in upload feature into default
/images folder (or configured upload-dir), should be built-in, in my opinion.

Just a suggestion:
Did you send a feature request to BigProf, yet, proposing a working solution?

From my experience Ahmed is open for bullet-proof code, suggested by community members, if this code does not break compatibility.

[onoehring]

Hi Jan,

actually I think I did request this feature already in November 2020: viewtopic.php?f=6&t=3989


Olaf

[jsetzer]

Just wondering: Did one of you send tested code to BigProf as a feature-request for a future version or is it just an article for our community? I doubt (and I'm glad) BigProf will integrate everything posted here.

It's just my personal experience that Ahmed is willing to integrate our contributions if we give well tested code to him which does not break backward compatibility nor has negative impact on exitlsting installations.

[onoehring]

Hi,

I think I solved the problem facos79 described.

Please download the latest version here: https://url.olaf-noehring.de/agprotectuploadfolder (currently v2024-05-30)

Feedback appreciated. (I know, code may be ugly ... but if it works ... )

Olaf

[facos79]

Thank you!! This seems like a really good solution.
I'll try to apply it in the next few days and let you know.
Thanks again.
See you soon