I am storing a file on the public directory. If my file is a 100 character random string, could someone potentially find this file? Is there any way to protect the public directory for Laravel?
Do not attempt to do this. Security by obscurity is not a valid approach.
A few flaws to this approach:
If I knew the file existed, but not its name: I could try every combination to find it.
The web server may have an unknown flaw that allows directories to be listed?
If HTTPS is not utilized, anyone monitoring requests could see the file.
The best way would be to create a view that serves the file, stored outside the public directory(/storage), and secure the view with a single use token or login.
Related
I have developed a small web application that runs a web server in golang.
Each user can login, view the list of their docs (previously uploaded) and click on an item to view an html page that shows some fields of the document plus an tag with a src attribute
The src attribute includes an url like "mydocuments/download/123-456-789.pdf"
On the server side I handle the URL ("mydocuments/download/*") via an http Handler
mymux.HandleFunc(pat.Get("/mydocuments/download/:docname"), DocDownloadHandler)
where:
I check that the user has the rights to view the document in the url
Then I create a fileserver that obviously re-maps the url to the real path of the folder where the files are stored on the filesystem of the server
fileServer := http.StripPrefix("/mydocs/download/",http.FileServer(http.Dir("/the-real-path-to-documents-folder/user-specific-folder/)))
and of course I serve the files
fileServer.ServeHTTP(w, r)
IMPORTANT: the directory where the documents are stored is not the static-files directory I sue for the website but a directory where all files end after being uploaded by users.
My QUESTION
As I am trying to convert the code for it to work also on Google Cloud, I am trying to change the code so that files are stored in a bucket (or, better in "sub-directories" -as they do not properly exist- of a bucket).
How can I modify the code so to map the real document url as available via the cloud storage bucket?
Can I still use the http.FileServer technique above (if so what should I use instead of http.Dir to map the bucket "sub-folder" path where the documents are stored)?
I hope I was enough clear to explain my issue...
I apologise in advance for any unclear point...
Some options are:
Give the user direct access to the resource using a signed URL.
Write code to proxy the request to GCS.
Use http.FS with an fs.FS backed by GCS.
It's possible that a fs.FS for GCS already exists, but you may need to write one.
You can use http.FileSystem since it is an interface and can be implemented however you like.
Assume that I have a directory for uploaded public files like images in /var/my-project/upload/public.
I want to download files in public directory with its name. For example if there is a file named product-image.png in public directory with uri /var/my-project/upload/public/product-image.png, access to this file with this url: http://mysite/public/product-image.png.
I know how to use a controller for this purpose, but I want to know is there a way to directly access these files without using a controller method?
The only acceptable way of doing it is with a ReSTful api. There are other methods such as ftp, but When you use ftp, Files can be added by anyone who knows how. With a ReST controller, you define what can be added beforehand. In fact, with a controller you define just about everything regarding that endpoint.
So the short answer is (especially if you are using Spring boot) use an API, lest you not regret it later.
When I was in College, our website had a built in "back door" to a certain endpoint via ftp. Some kids in one of my classes found out about that back door and let themselves inside. Needless to say' they didnt bother wiping their shoes on the mat on their way in.
The moral: Never assume that your resources aren't worth messing with. All you need to do is make it unsecure, and people will eventually mess with it.
I have a requirement to send the folder details in the URL for POST method, some thing like this
http:///{directory}/{filename}
I am using Spring API to create the service. Using #PathVariables to two variables in the URI.
Problem : Directory can have "/" slashes in it.
Now how can I create my API, please help me.
POST http://example.com/api/files/path/to/my/file/filename
Stick a controller on /api/files. Scrape the URL starting after /files. Use that to locate the file.
P.S. This has the potential to be a Very Bad Idea. Make sure you secure the controller to only expose those parts of your filesystem you don't mind random internet strangers to be able to operate on.
I'm using GroceryCRUD to act as a front end for a database containing news releases. Secretaries can go in and add/edit/delete news releases in the database easily now. Only qualified users are able to access the application root via an .htaccess password. The problem with this is that GroceryCRUD uploads assets such as photos are uploaded to the directory /www/approot/assets/uploads/ which is password protected since /approot/ is protected.
My ideal solution would be to set an upload directory outside of the application root which is where I'm running into trouble. By default this is how GroceryCRUD handles uploads:
$this->grocery_crud->set_field_upload('photo1','assets/uploads/');
I've tried changing it to something like this:
$this->grocery_crud->set_field_upload('photo1','/public/assets/uploads/');
I was hoping this / would make the path start from the document root instead of the application root, but it throws this error:
PHP Fatal error: Uncaught exception 'Exception' with message 'It
seems that the folder "/Users/myusername/www/approot//public/assets/uploads/"
for the field name "photo1" doesn't exists.
This seems to suggest that CI or GroceryCRUD just takes the second argument in set_upload field and just concatenates it onto the end of the site URL that is defined. Is there any way around this that doesn't involve creating a user login system?
Try using relative path.
$this->grocery_crud->set_field_upload('photo1','../assets/uploads/');
.. -> Go up one directory
I ended up implementing a login system outlined in this tutorial:
http://net.tutsplus.com/tutorials/php/easy-authentication-with-codeigniter/
It was quite simple to set up and suits my needs. I found ways to give access to the directory using httpd.conf directives but I feel like this was a more viable solution since I don't have direct access to server configuration files.
Maybe in the future GroceryCRUD will allow placement of uploads outside the application folder.
I'm trying to decide where the 'correct folder' to store documents and logs created by my windows form application. The application is used in education and has all paths held in the SQL server. Some (like logs file paths are shared) are accessible on network but specifically for temporary documents where should I default the storage to? I've recently tried the Users/username/AppData/ folder but I seem to be getting differing results after installation; so far I have put this down to people user credentials as often in schools they can do whatever they want (yes I know shocking indeed).
If anyone can point me in the direction of an MSDn article or knows better please reply - Thanks.
** Edit 10/09/2013 - Sorry all I should be further explicit. I'm looking for the folder / structure Microsoft has designed for this sort off activity. My application already provides users with the ability to create thier own working directories (there are several required) but I'm keen to use the 'correct' locations for this sort of activity... I thought the right place would be c:/Users/USERNAME/Appdata/APPLICATION FOLDER/ but as I mention I've come across a few access rights issues when uses install the application.... hope that explains better - thanks
To create temporary directory you can use something like this:
public string GetTempDirectory() {
string path = Path.GetRandomFileName();
Path.Combine(Path.GetTempPath(), path);
Directory.CreateDirectory(path);
return path;
}
Path class info
Directory class info