RE: [PHP] Block direct image loads but allow them in PHP
[snip]
if(isset($i))
{
//codeImageURL decodes $i into an image path that we can work with
$link=codeImageURL($i);
if($link!= (isAdmin() || !isThisFileBlocked($link)))
{
header(Cache-control: private);
header(Content-type: image/jpg);
header(Content-Disposition: attachment; filename=.$link);
$fp = fopen($link, 'r');
fpassthru($fp);
fclose($fp);
}
else
echo Error: Couldn't decode image URLbr\n;
}
Michael
Have you tried header('Content-type: image/jpeg') ?
Note the 'e'...
Rich
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
So I implemented this the other day and got excited as it worked...sort of.
My code is very similar to the link that you suggested. This is the script
that I would call from within an img src=...imagePiper.php?i=blahblah:
if(isset($i))
{
//codeImageURL decodes $i into an image path that we can work with
$link=codeImageURL($i);
if($link!= (isAdmin() || !isThisFileBlocked($link)))
{
header(Cache-control: private);
header(Content-type: image/jpg);
header(Content-Disposition: attachment; filename=.$link);
$fp = fopen($link, 'r');
fpassthru($fp);
fclose($fp);
}
else
echo Error: Couldn't decode image URLbr\n;
}
This code seems to work in *some* browsers, but not all. That is, in some
browsers, images will display just fine. In other browsers (i.e. Some
flavors of IE on the PC) I just get red x's. I cannot identify any
particular commonality among them and I was wondering if you have any
suggestions to make this work?
Thanks in advance!
On 02/15/03 8:44 PM, Justin French [EMAIL PROTECTED] wrote:
Using Apache's main config file (or at a per-directory level using a
.htaccess file), you need to black all .jpg, .jpeg, .gif, .png, .bmp, etc
etc files from being *directly* served via http.
I'm not too good with Apache yet, but an example would be:
Files ~ \.jpg$
Order Allow,Deny
...
Then you need to create a script called image.php which:
a) accepts file=.xxx in the URL ($_GET)
b) sets the appropriate image header
c) passes the image file though
Instead of you calling
img src='imageDir/picture.jpg' /
You would call
img src='image.php?file=imageDir/picture.jpg' /
-m^2
__
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
__
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
Thank you, this looks like the kind of thing I'm looking for. I'll have to give this a shot and see how it goes. :-) On 02/15/03 8:44 PM, Justin French [EMAIL PROTECTED] wrote: Using Apache's main config file (or at a per-directory level using a .htaccess file), you need to black all .jpg, .jpeg, .gif, .png, .bmp, etc etc files from being *directly* served via http. I'm not too good with Apache yet, but an example would be: Files ~ \.jpg$ Order Allow,Deny Deny from all /Files Files ~ \.gif$ Order Allow,Deny Deny from all /Files Files ~ \.jpeg$ Order Allow,Deny Deny from all /Files Files ~ \.bmp$ Order Allow,Deny Deny from all /Files (you might also choose to block everything in imageDir/, which would also include the xml file) Then you need to create a script called image.php which: a) accepts file=.xxx in the URL ($_GET) b) sets the appropriate image header c) passes the image file though Instead of you calling img src='imageDir/picture.jpg' / You would call img src='image.php?file=imageDir/picture.jpg' / You also need to ensure that users can't directly call image.php?file= picture.jpg in the browser, which can also be done with apache / .htaccess files. Files ~ \image.php$ Order Allow,Deny Deny from all /Files There's plenty of examples of passing images through in the manual... in particular one of the user-contributed notes by lists at darkcore dot net 08-Aug-2002 03:24 at http://php.net/header looks about right. Justin on 16/02/03 3:24 AM, Michael Mulligan ([EMAIL PROTECTED]) wrote: Perhaps you could further describe such a method? I'm sorry, I just don't quite see how this will block the files. Perhaps I should further explain my situation. The script that I will distribute will always make use of a very particular directory structure. In imageDir, there will always be a specifically named XML file that points to a bunch of images in the directory. However, given security checks that I put in my script, not all of those images should be publicly viewable. However, if a savvy user were to just load this XML doc up in their web browser, they will have a complete listing of URLs to all of my images. I cannot modify this XML file. (which is why I want to block a user from loading, say myserver.com/imageDir/picture.jpg) Will your proposed idea still work in this situation? Thanks for your help and patience in this matter. :-) On 02/15/03 11:09 AM, Marco Tabini [EMAIL PROTECTED] wrote: Only if you let them. The PHP script allows to put the appropriate checks in place. For example, if you use sessions, you can verify that the session is still valid and that the user has, indeed, the right to access that image. At a later time, even if another user types in the same URL but does not have a valid session (or a variable inside the session that contains the right data), you would be able to block him from reading the image. Cheers, Marco -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
On Sat, 2003-02-15 at 11:00, Michael Mulligan wrote: Hi I have a bit of a problem which might just be due to my lack of knowledge with Apache. Basically, what I want to do is to *not* allow users to enter particular URLs in their browser (namely to *.jpg and *.xml files under a particular directory, let's call it imagesDir). However, I can't simply Deny all or stick a .htaccess in the folder because I *do* want these images to load from within a particular PHP file I have coded. I guess the easiest would be to filter those images through a php script. Your PHP script would perform whatever checks are needed (for example, you could check ther HTTP_REFERER variable, or a shared token with the originating PHP script) and then output the image only if it's appropriate to do so. This way, your images would not be accessible to your users at all--unless you wanted them to be. Cheers, Marco -- php|architect - The Monthly Magazine for PHP Professionals Come check us out on the web at http://www.phparch.com! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
If the user knew the actual URL of the image though, wouldn't they be able to get around a script like this by simply typing it into their web browser? Thanks! :-) On 02/15/03 10:55 AM, Marco Tabini [EMAIL PROTECTED] wrote: I guess the easiest would be to filter those images through a php script. Your PHP script would perform whatever checks are needed (for example, you could check ther HTTP_REFERER variable, or a shared token with the originating PHP script) and then output the image only if it's appropriate to do so. This way, your images would not be accessible to your users at all--unless you wanted them to be. -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
On Sat, 2003-02-15 at 11:13, Michael Mulligan wrote: If the user knew the actual URL of the image though, wouldn't they be able to get around a script like this by simply typing it into their web browser? Thanks! :-) Only if you let them. The PHP script allows to put the appropriate checks in place. For example, if you use sessions, you can verify that the session is still valid and that the user has, indeed, the right to access that image. At a later time, even if another user types in the same URL but does not have a valid session (or a variable inside the session that contains the right data), you would be able to block him from reading the image. Cheers, Marco -- php|architect - The Monthly Magazine for PHP Professionals Come check us out on the web at http://www.phparch.com! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
Perhaps you could further describe such a method? I'm sorry, I just don't quite see how this will block the files. Perhaps I should further explain my situation. The script that I will distribute will always make use of a very particular directory structure. In imageDir, there will always be a specifically named XML file that points to a bunch of images in the directory. However, given security checks that I put in my script, not all of those images should be publicly viewable. However, if a savvy user were to just load this XML doc up in their web browser, they will have a complete listing of URLs to all of my images. I cannot modify this XML file. (which is why I want to block a user from loading, say myserver.com/imageDir/picture.jpg) Will your proposed idea still work in this situation? Thanks for your help and patience in this matter. :-) On 02/15/03 11:09 AM, Marco Tabini [EMAIL PROTECTED] wrote: Only if you let them. The PHP script allows to put the appropriate checks in place. For example, if you use sessions, you can verify that the session is still valid and that the user has, indeed, the right to access that image. At a later time, even if another user types in the same URL but does not have a valid session (or a variable inside the session that contains the right data), you would be able to block him from reading the image. Cheers, Marco -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
On Sat, 2003-02-15 at 11:24, Michael Mulligan wrote:
The script that I will distribute will always make use of a very particular
directory structure. In imageDir, there will always be a specifically
named XML file that points to a bunch of images in the directory. However,
given security checks that I put in my script, not all of those images
should be publicly viewable. However, if a savvy user were to just load this
XML doc up in their web browser, they will have a complete listing of URLs
to all of my images. I cannot modify this XML file. (which is why I want to
block a user from loading, say myserver.com/imageDir/picture.jpg)
Will your proposed idea still work in this situation?
Yes--but you need to make the image inaccessible to the outside (simply
put them in a folder that can't be seen from the web).
Here's an example. Suppose you have a script called page.php that needs
an image called img.jpg. Instead of calling img.jpg, you call another
script, serveimage.php as follows:
img src=serveimage.php?img=img.jpg
Now, in serveimage.php you do this:
?php
$img = $_GET['img'];
// First, check that the user is not trying to trick us
// into revealing a file that we shouldn't reveal.
// Note: this is a *very* simplistic approach--you will probably
// want to add your own
if (substr ($img, '/'))
die('Invalid file name');
// Now, check if the user has permission to this file. You don't
// explain how you do this, so I'll leave this to an external
// function called check_permission ($file) that returns true if the
// user is able to see that file and false otherwise
if (check_permission ($img))
{
// Tell the browser this is an image
// Note, you will probably have to change this depending
// on the file type
header ('Content-type: img/jpg');
readfile ($img);
}
else
die (Unauthorized access);
?
Essentially, what I'm doing is I'm replacing a file with a script that
first checks the permissions and then, if the user is authorized,
outputs the file to the browser. This way, if the user is not authorized
to download a file, it will be blocked. Obviously, the files themselves
should be inaccessible to the web *except* through your scripts.
Hope it's a bit clearer now!
Cheers,
Marco
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Ave.
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Weblog: http://blogs.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
I hadn't considered that before. Thank you. :-)
The reason why though is that Mac OS X comes with permissions set by default
so that Apache can't wander outside of the publicly accessible folder
(~/Sites/). The script that I have written is something that I intend to
distribute to other Mac users and I would rather not reduce the security
that they already have preset on their machines as part of installing my
script as I think that would deter people from adopting it. Do you have any
other suggestions? :-/
On 02/15/03 11:50 AM, Marco Tabini [EMAIL PROTECTED] wrote:
Yes--but you need to make the image inaccessible to the outside (simply
put them in a folder that can't be seen from the web).
Here's an example. Suppose you have a script called page.php that needs
an image called img.jpg. Instead of calling img.jpg, you call another
script, serveimage.php as follows:
img src=serveimage.php?img=img.jpg
Now, in serveimage.php you do this:
?php
$img = $_GET['img'];
// First, check that the user is not trying to trick us
// into revealing a file that we shouldn't reveal.
// Note: this is a *very* simplistic approach--you will probably
// want to add your own
if (substr ($img, '/'))
die('Invalid file name');
// Now, check if the user has permission to this file. You don't
// explain how you do this, so I'll leave this to an external
// function called check_permission ($file) that returns true if the
// user is able to see that file and false otherwise
if (check_permission ($img))
{
// Tell the browser this is an image
// Note, you will probably have to change this depending
// on the file type
header ('Content-type: img/jpg');
readfile ($img);
}
else
die (Unauthorized access);
?
Essentially, what I'm doing is I'm replacing a file with a script that
first checks the permissions and then, if the user is authorized,
outputs the file to the browser. This way, if the user is not authorized
to download a file, it will be blocked. Obviously, the files themselves
should be inaccessible to the web *except* through your scripts.
Hope it's a bit clearer now!
Cheers,
Marco
-m^2
__
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
__
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
Using Apache's main config file (or at a per-directory level using a .htaccess file), you need to black all .jpg, .jpeg, .gif, .png, .bmp, etc etc files from being *directly* served via http. I'm not too good with Apache yet, but an example would be: Files ~ \.jpg$ Order Allow,Deny Deny from all /Files Files ~ \.gif$ Order Allow,Deny Deny from all /Files Files ~ \.jpeg$ Order Allow,Deny Deny from all /Files Files ~ \.bmp$ Order Allow,Deny Deny from all /Files (you might also choose to block everything in imageDir/, which would also include the xml file) Then you need to create a script called image.php which: a) accepts file=.xxx in the URL ($_GET) b) sets the appropriate image header c) passes the image file though Instead of you calling img src='imageDir/picture.jpg' / You would call img src='image.php?file=imageDir/picture.jpg' / You also need to ensure that users can't directly call image.php?file= picture.jpg in the browser, which can also be done with apache / .htaccess files. Files ~ \image.php$ Order Allow,Deny Deny from all /Files There's plenty of examples of passing images through in the manual... in particular one of the user-contributed notes by lists at darkcore dot net 08-Aug-2002 03:24 at http://php.net/header looks about right. Justin on 16/02/03 3:24 AM, Michael Mulligan ([EMAIL PROTECTED]) wrote: Perhaps you could further describe such a method? I'm sorry, I just don't quite see how this will block the files. Perhaps I should further explain my situation. The script that I will distribute will always make use of a very particular directory structure. In imageDir, there will always be a specifically named XML file that points to a bunch of images in the directory. However, given security checks that I put in my script, not all of those images should be publicly viewable. However, if a savvy user were to just load this XML doc up in their web browser, they will have a complete listing of URLs to all of my images. I cannot modify this XML file. (which is why I want to block a user from loading, say myserver.com/imageDir/picture.jpg) Will your proposed idea still work in this situation? Thanks for your help and patience in this matter. :-) On 02/15/03 11:09 AM, Marco Tabini [EMAIL PROTECTED] wrote: Only if you let them. The PHP script allows to put the appropriate checks in place. For example, if you use sessions, you can verify that the session is still valid and that the user has, indeed, the right to access that image. At a later time, even if another user types in the same URL but does not have a valid session (or a variable inside the session that contains the right data), you would be able to block him from reading the image. Cheers, Marco -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
