Jump to content

Protected files website


Recommended Posts

  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

I got another idea to improve the security of the files for this website. Since a user could download any file if he knows its name. On logon, I could set a session variable of the group the user is from. Then have a folder for each group within the docs folder. That user can then only download a file from his folder.

Link to post
Share on other sites

What if they typed something like ../folder_they_shouldn't_be_seeing/whateverfile.doc? In PHP you can use basename() to take out ../folder names/ from the input so it would be whateverfile.doc and then where you check file exists, add the folder name they are allowed to look at.

<?php  $file=basename($_GET['file']); // ../some_other_folder/file.doc to file.doc  if (file_exists($_SESSION['group'].'/'.$file)) {	// use header and include  }?>

I also found out when playing around with my own code is if you use special characters like *, <, etc. it can grab files based on the filesystem you are using (Windows for me). You could probably make an array of files to choose from the code or have Coldfusion scan the folder for all of the doc files and check if it's in that array of files.

Link to post
Share on other sites

They can't type a direct url to the file since the file is stored on the server outside of the web folder. Only ColdFusion can get in there and get the file. I made a coldfusion page that will fetch the file. The user has no idea where the file is. There is only a querystring (?myFile=test.doc). The current problem with this is all the files are all in one folder so if a user from one group knows the name of a file from another group, he could access it with the querystring. I'll be adding the group folders so this won't be possible. I know how to do this part. Thanks anyway for the code.

Link to post
Share on other sites

Could a user go up one level if my path is hard coded except for the file name?This is the kinda path I have: /absolutepathtofolder/group/file.doc. This path is outside of the web folder. You mean that someone could change my querystring to ?myFile=../othergroup/file.doc and access another file? Is this valid then /absolutepathtofolder/group/../othergroup/file.doc since this is how it will be displayed. I could also simply not allow / in the querystring.

Link to post
Share on other sites

This should be easily resolved by creating two more tables, one to define groups and another as a lookup.If you user table is "user" and you group table is "group" and your lookup table is "user_x_group" then name your folders the same way you name your groups. When the user logs in and is authenticated, then all your file requests would run off a variable you could set based on their ID in the "user_x_group" table as it pertains the the assigned group.I would even take this one step farther - if its possible and have the documents they are requesting databased too. Your "document" table could then store the filename and then you could either move them in seperate folders or keep them all in one and then create a "group_x_document" table that assigns documents to single or multiple groups without having to have copies of file in different group folders. The link to the document would now have a UUID as the string and not the actual filename.Then, on the ColdFusion page that actually requests the file, you have to query the "document" table to get the real file, then you get the file's ID and look it up in the group table to see if this user is allowed to even have it.In the latter example, the user never has any idea of what group they are in (which doesn't matter if they do) but additionally they NEVER see the actual filename of the file since the URL string is a UUID and not the file name. If you are using the code we talked about earlier, then you can rename the file as it is prompted to download so that it's not even remotely the same as it's physical defined on the server.Make sense? Let me know if you need me to back up and re-imagine that [admittedly typed a little frantically]:)

Link to post
Share on other sites

I currently don't use any database. There are so little logins that I simply have them hard coded in the page. I'm not sure I want to create one.

Link to post
Share on other sites

I noticed that in IE6 (don't have IE7 at work) instead of prompting to download the doc filename, it prompts to download the name of the page that gets the doc (doc_fetcher, no extension) but I can still open this word doc with word manually. Any idea why?EDIT: my bad, typo in content-type for word files.

Link to post
Share on other sites

I had a meeting today on this application and it looks like they wanna complicate the app a little bit. Currently, I have this site setup without a DB but with the new updates I'll need to implement a database. This way I can easily manage user groups, documents and more from the DB. I'll also be creating an admin panel for users to add, del, edit docs and add, del, edit categories docs are in... Anyway so it looks like this will be another small challenge. Should be interesting.

Link to post
Share on other sites

Sounds fun. Let me know if you need any help on any issues you run into.You know, with MS SQL 2005 and CF8 you can actually store the binary information in the DB. Not a good idea if this is gonna get really huge or if the files are big, but it is a way to really make sure no one can see someone elses files since they are not even physically stored on the server.

Link to post
Share on other sites
Actually there should be lots of files, some 5-10mb and more.
ok, scratch that last idea then - would have been good fro what it looked like you were dealing with at first. Knowing that you are dealing with that many files, I wonder how they expected for it to be managed without a db.Anyway, good luck, should be a fun little project.
Link to post
Share on other sites
  • 2 weeks later...

If I were you, I would use the include, but have a cookie, with the username,country(to block or allow files),password, and a random number like day x hour x 57375(the users id number, like on here) x another number, so somebody would have to at least know one of the numbers to look at the file... does that make any sense?

Link to post
Share on other sites
  • 2 weeks later...

I've started to work on this project again. I have the database setup with no data at the moment. What is the best way to have a unique id that I would generate myself when inserting a new document with a coldfusion page? It should have letters (upper and lower case) and numbers, 10 characters should be enough. I'm thinking or an array with all the values I'd want in this id but it's perhaps not the best way of doing this.

Link to post
Share on other sites

ColdFusion has a GUID function that will create a unique identifier for you. If its not going to be used in a visual sense at all (like in the filename or folder name) then I'd go that route. Otherwise, I tend to incorporate a text file and autoincrement that and then prepend it with an abbreviation of the application and or suffix with a version . . . NW0005v3NW = news application00005 = number extracted from a text file with numberformat function used to make sure all four place holders usedv3= the version of the application I built

Link to post
Share on other sites

I wanna use Random numbers (6 digits) as a unique id for each document in the db. I don't want to have a number the same as one already entered. I'm just trying to figure out how I can reroll the number if there is a match. I know that I query for the ids and set the random number. Then in a loop I compare my random number to all ids and if there is a match it should reenter that loop but before that it should reroll. I'm not sure how to go about that. Any tips?

Link to post
Share on other sites

Taking a minute to throw something out there to start you off . . .

<cfset newID = randrange(100000,999999)><cfquery name="qryCheckID" datasource="#db#">	SELECT	ID	FROM		yourtable	WHERE	ID = newID</cfquery><cfif qryCheckID.recordcount EQ 0>(use this id)<cfelse>(refresh the page, include query string or post back using hidden form)</cfif>

Does this help?

Link to post
Share on other sites

It's when it comes to this:<cfelse>(refresh the page, include query string or post back using hidden form)</cfif>How can I reroll without refreshing the page? cfloop?

Link to post
Share on other sites

Well,I guess you could nest that in a cfloop like this:

<cfset newID = randrange(100000,999999)><cfloop from="1" to "999999999999999999999999" index="x"><cfquery name="qryCheckID" datasource="#db#">	SELECT	ID	FROM		yourtable	WHERE	ID = newID</cfquery><cfif qryCheckID.recordcount EQ 0>(use this id)<cfbreak><cfelse><cfset newID = randrange(100000,999999)></cfif></cfloop>

Here you loop from one to some ridiculously large number. each time a new random number will be created and checked. As soon as there is no match, the loop is broken/exited.I think this will work.

Link to post
Share on other sites

I got another one for you lol... My documents are stored in the db and there's different categories for each document, some are in the same category. So here's what I got:Category 1doc 1Category 2doc 2Category 2doc 3I'd like to have: Category 1doc 1Category 2doc 2doc 3I tried using the GROUP BY clause but doc 3 disappeared. I tried also the group in the cfoutput tag but it's the same thing. I checked another document that has a comparable output but it uses a flag to know if it should output the category text. Is that the best way to do this? Isn't there a way with the query to do this?

<cfquery name="qryGetDocs" datasource="#dbname#" username="#dbuser#" password="#dbpw#">SELECT d.doc_id, d.doc_name, d.doc_description, c.cat_nameFROM Documents d, Categories cWHERE d.cat_id = c.cat_idGROUP BY d.cat_id</cfquery><cfoutput query="qryGetDocs" ><h3 class="menuheader expandable">#qryGetDocs.cat_name#</h3><p>#qryGetDocs.doc_name#</p></cfoutput>

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...