views:

144

answers:

6

Hello, I have a folder named upload which is filled with folders of users uploaded files.

Is there any way I can stop people from directly downloading my users files by simply typing the folder names and file name into the address bar?

Example: user Jim's folder is stored at HOST/uploads/jim

user Jim's important file "myimportantfile.txt" is stored at HOST/uploads/jim/myimportantfile.txt

Now, if just anyone types into the address bar: www.HOST.com/uploads/jim/myimportantfile.txt , they will be able to view Jim's important file.

How can I stop this from happening?

Can I write certain attributes when making the directories?

+4  A: 

You don't want to have those files in a web-accessible folder. Move them out of the webroot.

Once you do this, you can have a file like download.php to which you pass a file ID and it can then validate it is in fact Jim asking for his files and only then fetch the file and output it to the browser as an attachment. This is the safest/best way for security.

Paolo Bergantino
And of course, verify if the user has access to the file corresponding to the file ID, otherwise users would still be able to retrieve files. Instead of file and directory names, they will now use file IDs.
Vineet Reynolds
I would imagine that goes without saying, but I guess you can never be too sure. Updated :)
Paolo Bergantino
Yep, went without saying, but a newbie might not figure that out so easily :)
Vineet Reynolds
A: 

Sure, you can use basic file/directory permissions in Linux. You can also set the entire tree to be denied by apache.

What platform / webserver software are you running?

Okay, linux:

If the owner of the directory is 'joe', and the group is 'apache', then:

 chmod 750 joe

This would give the directory 'joe' permissions which allow the owner (joe) full access, the group (apache) write access (and the ability to enter the directory), and nothing else.

Is this an FTP drop-box?

What are the ownerships/groups like now?

jedihawk
Oops I duplicated... if you put the the mode I will delete.
ojblass
I am using Apache, how do I do it?
Xampp (winxp), Apache - that is.
Please add that info to the question.
ojblass
+1  A: 

I belive file permissions of a directory +w-r+x will alow directory writes but not reads. In geeky unix terms this is %chmod 733 dirname. The directory ownership would have to be set properly using chown and chgroup. This applies to a unix environment.

ojblass
733 actually, becouse you can't write anything in directory, unless you have the permission to enter it (eXecute bit)
vartec
A: 

You could use an .htaccess file to require a username and password to be entered making each folder a protected folder.

But I think the best way to do it would be to move the uploads folder outside of the webroot so that it's not directly accessible, and then create a script (PHP, ASP, etc) that serves up the requested file after authenticating the user.

Chris Thompson
A: 

The simplest solution is to just add an index.htm file to the folder.

Any visitors will then see this page rather than the index of files.

The page can be blank, or even better, redirect to the domain home page with a redirect.

Jon Winstanley