Opening files using PHP

[james0816]

I've ran into a problem and have not figured out a way out of it. Not even sure if I'm coding correctly.

I created a nice PHP web application for my company. Users sign on, pull up data and even access files.

The opening of files is where I am stuck at.

in my PHP page, i was programming like this:

<a href="file:<?php echo $server; ?>/<?php echo $fldrloc['location']; ?>/<?php echo $fileloc['name']; ?>" target='_blank'>


I was able to open files while signed on as myself (full rights to everything). I then released a demo version for other users to try out and they could not access files.

I'm gathering that this is since they do not have permission to the stored location.

I then tried to render the files using http:// instead of file://. This doesnt work at all (even for me) as it only comes up as page cannot be displayed.

I can access files using my browser (IE). I go to other websites and open PDF files on their site by using the http link. I try from my browser to access one of my PDF files and get page cannot be displayed.

am I way off base here? can someone point to what i should be doing correctly?

thx

 

[jpadie]

php will run with the privileges assigned to the web server process.

so, unless you are using integrated windows authentication within IE and IIS, this will typically be the IUSR_MACHINENAME user on IIS or nobody/apache on apache.

if php tries to retrieve a file using fopen or similar that it does not have privileges for, the function will fail.

if you are trying to access a file directly using http the webserver needs the appropriate privilege. however if a file is accessed using the file:// protocol, windows should intermediate this request and pass the relevant credentials (or kerberos cert) to validate the request. if you are not using windows something similar is true with most other OS'es so far as i know.

i would test again with the link correctly formed with the file:// protocol (you are missing the double forward slashes)

 

[james0816]

sry for the typo...it does work using the FILE: method. I left off the // when i was typing...sry

but yes...it only works for me when I am signed on as i have full rights to the system. the webserver starts using my id as well giving the app full rights. no user has physical rights to the file share. their rights are goverened via entries in a table.

so when signing on as john doe, he can access the web app and work around in it. he just cannot open the files. going by what you are saying, using the FILE:// method, windows is going to use windows authority to check for access and since he does not have access to that share, he will not be able to access the file.

however, using the http:// method, the file should have opened up since it is using the credentials of the webserver?

did i get that right?

 

[jpadie]

did I get that right

yes, i think so. provided the web server has sufficient privileges.

but i don't think that is a great idea since the file could be called directly by someone who was not logged in and validated. perhaps it would be better to have all file requests handled by a php page that tests the user's authority and then uses fopen or any of the other file handling methods to output the file to the user. it's just a matter of setting the right headers (header()) after the validation process. This way you can also handle logging of the file access in a neat manner.

 

[james0816]

not sure what you are reffering to on the calling the file by someone not logged in. do mean by pulling up a cached version of the page and accessing that way?

then instead using the <a href to open the file, i would just point to another php page...say openme.php and have the fopen code on that page to render the file to the user?

i'm not familiar with headers so that will be an area of concern.

 

[jpadie]

well if a file is located at

http://somepath/file.doc

then it is available to all users of the web application regardless of permission. thus if you are trying to limit the availability only to certain people, if the address becomes known to a person outside the right group, the file would be vulnerable.

if you have the links as openme.php?filename=something.doc (or someother unique identifier) then your openme script might look like

session_start();
if (!isloggedin) {doThatLoginThing();}
if (!isset($_GET['filename'])) {die ("naughty naughty");}
if (!in_array($validFiles, $_GET['filename'])) {die("naughty naughty");}
if (!isPermitted($_GET['filename'], $username)) {die ("naughty naughty");}
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.$_GET['filename'].'"');
$fh = fopen($_GET['filename']) or die("Can't open filename");
fpassthru($fh);

this presupposes that you keep an array of valid files available for download and that you are using a login system with a permissions framework. treat as pseudo-code, obviously.

 

[james0816]

i've been playing around with this and not having any success. I am access the files via a Virtual Directory on the web server. I can access them if I use the <a href method but can not open it using the fopen() method. I keeps telling me cant find file.

Is there a certain way to code to pull from a virtual directory?

 

[Olavxxx]

Why would you want to use fopen?

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[jpadie]

@DaButcher
you would want to use fopen with fpassthru to output stuff to the browser. you could also use file_get_contents etc but there is a memory and spead overhead to reading everything into memory just to bang it back down the tube to the user.

@OP
ideally you would use fopen on the real path of the virtual directory - to grab the file natively.

virtual directories are aliased by the web server. so if you want to access the file via the virtual directory you need to use the http:// protocol. make sure you are giving just the web server permission to do this (IP restriction?) so that users cannot disintermediate your security system. You may be able to use ftp, i can't remember whether this honours virtual directories in IIS. this might improve the security as the username/password would be sent in the fopen command and you wouldn't need to muck around with permissions (fopen(ftp://usernameassword@ftp.domain.com/filename.ext)