Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
How do I set security for uploaded files?
rbrahmson
✭✭✭
We want to allow users to upload files but want the files accessible only to users in the same category (we use category permissions ). That works fine for the discussions but once people figure out where the attachments folder is, anyone can go there and see everything.
Any suggestions, solutions?
Tagged:
0
Comments
.htaccess:
Options -Indexes
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
Newbie here, please elaborate. Hope this won't break ability of permitted members to upload/download files.
Searching the internet for htaccess options indexes brings up informative links like that: http://stackoverflow.com/questions/15837822/what-is-the-htaccess-options-indexes-for
If your users aren't able to browse the directory, they will not be able to see what is in the upload folder.
While I would guess that this is good enough, your users would be able to download things with brute force.
Thanks @R_J, I found out that I can set security per folders, so in theory I can control who has access to the download folder. My problem is coordinating it with Vanilla -- namely how to set it so it won't break anything.
The requirements are "simple":
1. Users should be able to upload files (no brute force - my users aren't sophisticated).
2. Users should be able to download files (again,no brute force)
3. Users (and guests) should not be able to alter url pointers to images in order to access downloaded files (as they can today because downloads go to the same place as profile pictures, forum logo, etc.)
4. We use category permissions to separate group of users (Users from group A cannot see discussions from Group B and vice versa). Similarly, we need to ensure that users from group A will not be able to access downloaded files from group B.
I'd welcome advice on how to modify the plugin to direct files to a different folder, as long as I could set folder security (in htaccess, I guess) to work with the requirements.
So before I go and play with htaccess, I need to understand how to make it work with the above.
This is not easily possible, but usually not required.
Why it is not possible:
When you are downloading a file, your request doesn't hit vanilla, it goes directly to your web server (apache) which serves the file. To restrict access by category permissions, the files would have to be dispatched through vanilla to check the session and permissions of the user while the access to the folder with the actual files would have to be restricted. This could be developed as a plugin.
Why it is not required for most sites:
Uploaded files are assigned a random name and split between 256 folders (00 - ff). It is practically impossible for users to guess the file name.
If a user shares a file name with a user who shouldn't have access to the file, the user could just as well send the actual file to the other user.
The only way for users to browse the directory is if the server shows directory listings. This can be disabled with the .htaccess rule I posted above but should usually already be disabled at server level.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
@Bleistivt - very insightful, thanks! I guess I'll have to research how downloaded files ended up with names in the clear. Possibly a different upload plugin (I tried a few...)
Is there an encryption for the files themselves?
Not by default.
It doesn't really make sense to either. It would be effectively the same thing as locking your house but printing the passcode on the front door.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Not sure I understand. I was hoping that Vanila had such a builtin encryption facility so that in the event that someone gets to an uploaded file, it is still encrypted. Why would that be printing the code on the floor?
The idea of encrypting files is to render it unusable to anyone without the key. Since the files need to be public to serve them to users, you have to decrypt them before you give them the file. Or you give them the key and have them decrypt it locally. Either way, you aren't really gaining security from encryption.
You are gaining some security during the transport, assuming you are transporting the key with a different medium.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
My thinking is that the transport was the decryptor, rather than decrypting into a temporary file before transporting. Clearly I'm not a programmer and I'm imagining things as they "should be" in my naive world...
At the end of the day what I wanted is to have separation between groups of users (roles) so one group wouldn't have access to the other... Seems like I'll have to live with the file-name encryption mechanism...
I appreciate your and your colleagues clarifications. Everyone has been very helpful and I appreciate that.