The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once
Warning [2] Undefined array key "" - Line: 1584 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1584 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Trying to access array offset on value of type null - Line: 1588 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1588 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Trying to access array offset on value of type null - Line: 1588 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1588 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Trying to access array offset on value of type null - Line: 1588 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1588 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Trying to access array offset on value of type null - Line: 1588 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1588 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Trying to access array offset on value of type null - Line: 1588 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1588 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Trying to access array offset on value of type null - Line: 1588 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1588 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Trying to access array offset on value of type null - Line: 1588 - File: inc/functions.php PHP 8.2.25 (Linux)
File Line Function
/inc/functions.php 1588 errorHandler->error
/inc/functions_post.php 203 usergroup_displaygroup
/showthread.php 912 build_postbit
Warning [2] Undefined array key "useravatar" - Line: 6 - File: inc/functions_post.php(931) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/inc/functions_post.php(931) : eval()'d code 6 errorHandler->error
/inc/functions_post.php 931 eval
/showthread.php 912 build_postbit
Warning [2] Undefined array key "userstars" - Line: 11 - File: inc/functions_post.php(931) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/inc/functions_post.php(931) : eval()'d code 11 errorHandler->error
/inc/functions_post.php 931 eval
/showthread.php 912 build_postbit





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Secure or manage access to images
#1
The standard code snippet
Code:
if(!hasPerm([3],$user->data()->id)){...}
can secure php pages but let open access to images, pdf files, text, etc. in the web server.

I have been looking at ways to secure those files to logged users and this is what I got, it may be useful for others and can be improved by the forum.

Let's assume all images are in folder "figures"

On the parent folder create a .htaccess file with these instructions (make sure mod_rewrite is enabled):

<pre>
Code:
RewriteEngine on
RewriteRule ^(figures)/(.*)$ imageout.php?img=$1/$2
</pre>

RewriteEngine on
RewriteRule ^(figures)/(.*)$ imageout.php?img=$1/$2

In this way when a file from the folder "figures" is requested the folder and filename are passed to the script imageout.php.

This script checks whether the user is logged in and send the image. It also prevents user input for files outside the designated folder. Imagine a user requests https://mydomain.com/figures/../../../.....s/OMG.jpeg, not a good idea to let that happens (or put the images there in the first place).

This can be prevented by a code like:

<pre>
Code:
$fileOut =  basename($img);
//Prevent user input for files outside the designated folder
$fileOut = getcwd().'/figures/'.$fileOut;
</pre>


The file imageout.php serving the graphic files would be:

<pre>
Code:
<?php
// check whether user has permissions
require_once '../users/init.php';
if(!hasPerm([x],$user->data()->id)){
   header('Location: http://www.domain.com/');
   die();
}

if(!empty( $_GET['img'])){
$img = $_GET['img'];
} else { exit('Image not supplied');}

$fileOut =  basename($img);
//Prevent user input for files outside the designated folder
$fileOut = getcwd().'/figures/'.$fileOut;

if (file_exists($fileOut)) {
// from https://stackoverflow.com/questions/900207/return-a-php-page-as-an-image#26811487
    //Set the content-type header as appropriate
    $imageInfo = getimagesize($fileOut);
    switch ($imageInfo[2]) {
        case IMAGETYPE_JPEG:
            header("Content-Type: image/jpeg");
            break;
        case IMAGETYPE_GIF:
            header("Content-Type: image/gif");
            break;
        case IMAGETYPE_PNG:
            header("Content-Type: image/png");
            break;
       default:
            break;
    }

    // Set the content-length header
    header('Content-Length: ' . filesize($fileOut));

    // Write the image bytes to the client
    readfile($fileOut);
}
?>
</pre>

<?php
// check whether user has permissions
require_once '../users/init.php';
if(!hasPerm([x],$user->data()->id)){
header('Location: http://www.domain.com/');
die();
}

if(!empty( $_GET['img'])){
$img = $_GET['img'];
} else { exit('Image not supplied');}

$fileOut = basename($img);
//Prevent user input for files outside the designated folder
$fileOut = getcwd().'/figures/'.$fileOut;

if (file_exists($fileOut)) {
// from https://stackoverflow.com/questions/9002...e#26811487
//Set the content-type header as appropriate
$imageInfo = getimagesize($fileOut);
switch ($imageInfo[2]) {
case IMAGETYPE_JPEG:
header("Content-Type: image/jpeg");
break;
case IMAGETYPE_GIF:
header("Content-Type: image/gif");
break;
case IMAGETYPE_PNG:
header("Content-Type: image/png");
break;
default:
break;
}

// Set the content-length header
header('Content-Length: ' . filesize($fileOut));

// Write the image bytes to the client
readfile($fileOut);
}
?>
There is no noticeable decrease in speed for a few hundred files.


  Reply


Messages In This Thread
Secure or manage access to images - by jc - 06-04-2018, 08:08 AM

Forum Jump:


Users browsing this thread: 2 Guest(s)