Restrict file access to authorized php users

Question

I\'ve inherited an application with a glaring security hole.

It has session-based security, but file uploads (which are user specific) are not secured in any way an

Answer 1

I think you may need to write a script that will serve the images, then use htaccess to completely restrict access to the actual images from a browser.

The script can take in the web path to the image, decide if the user has access, then use something like fpassthru to feed an actual image to the browser.

All references to the images would need to be modified, however, to reference the serving script.

So instead of accessing the images with /images/123/5423453245.jpg, it would be /image.php?images/123/5423453245.jpg

Or something similar to that.

Answer 2

Don't really understand why moving them isn't an option, since pushing requests for them to a handler means it no longer matters where they're stored. But you're the man on the scene.

.htaccess looks like:

RewriteEngine on
RewriteRule path/to/where/these/files/live/(.*) /handlerscript.php/$1

Then you pick up the remaining file path and name from $_SERVER['PATH_INFO'].

Answer 3

Well, you could make apache parse .jpg file's for a certain folder adding the following to your .htaccess

AddHandler php5-cgi .jpg

then you could set a file of php to parse the request the way chaos was recomending you and doing a certain validation, then just return jpeg headers along with the correct picture u'd like to display

here's an example

<?php
if($validUser)
    {
    header("Cache-control: No-cache");
    header("Pragma: No-cache");
    header("Content-Type: image/jpeg");
    //correct picture address
    $img = imagecreatefromjpeg("2326_b_lil.jpg");
    imagejpeg($img);
    }
    else
    {
    //code for error image
    }
?>

please let me know if you want a more extensive example