Securing uploaded files in PHP

https://stackoverflow.com/questions/14008652

11-12-2021
|

문제

I have a site with user logins and sessions. I'd like to allow my users to upload files to the webserver, but only have them available for their login.

I understand if I upload to some sort of public web directory that the file would be still accessible via:

http://www.mydomain.com/files/thefile.pdf

However, I'm thinking I can store the files in the directories just above my public HTML root (say it's /mnt/content/web/html).

So, I could make a directory called (/mnt/content/web/uniqueidfortheuser) and store my files there, then reference the files via PHP with the syntax:

(../uniqueidfortheuser/thefile.pdf).

My question - is this secure enough or is there something I'm overlooking? The name of the uniqueidfortheuser would be stored in a database and unknown to users, and they'd have to have a valid session to gain access the their unique name of their folder. And I don't think they'd be able to call any of the files in the folder from the web.

해결책

Even better - when the user uploads the file, include the user_ID for the file. Then, when you try to retrieve the file, make sure it belongs to the user.

So therefore even if they guess another file - it wont matter!

You need to use readfile:

    function user_files($file_name = "")
    {
        // Check user is logged in
        if ($user->logged_in())
        {
           // Check file_name is valid and only contains valid chars
           if ((preg_match('^[A-Za-z0-9]{1,32}+[.]{1}[A-Za-z]{3,4}$^', $file_name)) 
           {
               // Now check file belongs to user - PSUEDOCODE
               if ($filename == $user->records)
               {
                   header('Content-Type: '.get_mime_by_extension(YOUR_PATH.$file_name)));
                   readfile(YOUR_PATH.$file_name);
               } else {
                   echo 'You do not have access to this file';
                }
           }
        }
    }

There is some issues around directory traversal etc - so you'll need to check the $file_name first like I have using the preg_match

라이센스 : CC-BY-SA ~와 함께 속성

제휴하지 않습니다 StackOverflow