Download URL linking to files outside webroot

[Chris]

Chris this is exactly what I am doing right now. Like v@no says, any paid member can easily get the download link (direct url to the videos) and share it with others. These other visitors can just type in the direct url of the video and download them.

Perhaps I'm missing some information and you can explain to me why you believe the other people will actually get the file.

Here are two 4images behaviours to be aware of:

1.  The download link is in a form of: http://www.domain.com/4images/download.php?image_id=1416
Thus the actual server path is not revealed

2.  If the link is shared with others, it will redirect them to the home.html page because they aren't logged in.  Thus they have no permission to download.  This is because you set the download permission to "Private" per my previous instructions.

I tested this myself on a clean install of 4images.  Have you also tried it?

[V@no]

actualy, when u click on download button it will execute download.php, but then the DIRECT LINK to the file will be send back to the browser... that's the problem....
so, to prove it, here is the test:
first as I showed before, will show picture from outside of web root:
http://come.no-ip.com/iguana.php
second will do exactly the same what download.php does (well, almost the same, I skipped header that makes download the image instead of showing it):
http://come.no-ip.com/iguana.php?skip=yes
as u can see in your browser, after image was loaded it shows the direct path to it, no more .php file...
if u use some download managers, then u can easily find out the direct path to the file...

[Chris]

second will do exactly the same what download.php does (well, almost the same, I skipped header that makes download the image instead of showing it):
http://come.no-ip.com/iguana.php?skip=yes
as u can see in your browser, after image was loaded it shows the direct path to it, no more .php file...
if u use some download managers, then u can easily find out the direct path to the file...

Well of course if you remove that header you're gonna see the path.  That header controls what mime type is returned to the browser.  In the case of download.php it's an "application/<browser specific>" mime type such as "application/octet-stream".  When you remove it, the mime type changes to that of the file "image/jpeg" in this case.

I've tried the download.php link in an FTP client and the server path was not revealed.  I don't have any download manager installed.  I also tried using 3 browsers.  Not once was I able to see the path.

Can anyone show me a real example of where the path is revealed?  Show me a screen shot of a browser, download manager or some other software where it's revealed.  Without an actual live example, I'm simply not convinced the path will be known to the end user.

Besides, even if the path IS revealed what's wrong with using .htaccess in the 4images/data/media directory?

Code: [Select]

# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]

Now the other person can't enter the link to get the file.

Please show me how it's revealed so I have something to examine to think up some ideas.

[V@no]

Well of course if you remove that header you're gonna see the path.  That header controls what mime type is returned to the browser.  In the case of download.php it's an "application/<browser specific>" mime type such as "application/octet-stream".  When you remove it, the mime type changes to that of the file "image/jpeg" in this case.

Yes, I know that, what I was trying to show u, is what actualy download.php sends back to the browser - FULL PATH for the file.
Only that fact is making this method unsecure, especialy if u have paid service...

Besides, even if the path IS revealed what's wrong with using .htaccess in the 4images/data/media directory?

Code: [Select]

# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]

Now the other person can't enter the link to get the file.

that's right, but this method will work only for images, or for downlod button, because if u try play video/audio even show flash movies (anything that required browser plugins) directly from the page it wont work...
heres is a little discussion about that:
http://4homepages.de/forum/viewtopic.php?t=5292

[V@no]

ops...I just took close look inside download.php
I'm taking my words back...it doesnt send full path to the browser, it reads file, then send the data to the browser...

[Ushkand]

Based on your suggestion a while ago, I had changed the download.php like this:

I just found witch code does this - in download.php :Code:


$remote_url = 0;
  if (!empty($image_row['image_download_url'])) {
    if (is_remote_file($image_row['image_download_url']) || is_local_file($image_row['image_download_url'])) {
      ereg("(.+)\.(.+)", basename($image_row['image_download_url']), $regs);
      $file_name = $regs[1];
      $file_extension = $regs[2];

      $file['file_name'] = $file_name.(($size) ? "_".$size : "").".".$file_extension;
      $file['file_path'] = dirname($image_row['image_download_url'])."/".$file['file_name'];
    }
    else {
      $file['file_path'] = $image_row['image_download_url'];
      $remote_url = 1;
    }
  }


 
if this code change to this:Code:


$remote_url = 0;
  if (!empty($image_row['image_download_url'])) {
      $file['file_path'] = $image_row['image_download_url'];
      $remote_url = 1;
 }


 
then 4images script wont download file, it will just through the link to the user, but....it might not work properly, because the link will work as "open" not "save as".

I was having problems downloading files larger than 25MB using the original download.php. Making this changes now lets me server videos as big as I want. The link to the post describing the problem

http://4homepages.de/forum/viewtopic.php?p=15620&highlight=#15620

Code: [Select]

# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]


So if use this, the only thing that its going to affect is the server play right? I don't want the videos to be played on the page but just be available for download. As long as someone can't access the files directly from a download URL, I should be ok.

[Chris]

Code: [Select]

# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]


So if use this, the only thing that its going to affect is the server play right? I don't want the videos to be played on the page but just be available for download. As long as someone can't access the files directly from a download URL, I should be ok.

No.  That code is meant to stop other web sites from linking to your media files.  That's called hot linking.  In other words, displaying your pictures on their web pages and using your server's bandwidth for their site.

[baconzoo]

Same Premiere encoding of a standard Mpeg1 with all my files.
One file that is under a Mb plays fine:
http://www.baconzoo.com/HV/details.php?image_id=1

Other files greater in size (2-3 Mb) won't play:
http://www.baconzoo.com/HV/details.php?image_id=18

Direct linking doesn't work for playback, but a download works.
Any clue?
Will the download.php  mod work? or do I need to stay under a size range?

PS This site is under construction...