• Resolved genjitech

    (@genjitech)


    I’m trying to secure my downloads directory with htaccess using RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
    but when downloading with filewawy i get access denyed. direct linking to file path outside of fileaway output work as expected.

Viewing 15 replies - 1 through 15 (of 16 total)
  • Plugin Author thomstark

    (@thomstark)

    More info please

    Thanks for your quick response by email — but not sure why it came to me, as this is not my question!!

    I posted a question after “directory security” — it is titled “Shortcode not producing files on page”.

    Thread Starter genjitech

    (@genjitech)

    Im using fileaway to list a directory with secured documents. As i do not want anyone to have direct access to files in this directory without being logged in. I wanted some extra security to disallow anyone who doesnt have nor is logged in wordpress to be able to get files..
    Adding .htaccess to directory
    # These next two lines will already exist in your .htaccess file
    RewriteEngine On
    RewriteBase /
    # Add these lines right after the preceding two
    RewriteCond %{REQUEST_FILENAME} ^.*(doc|docx)$
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
    RewriteRule . – [R=403,L]
    works except with fileaway plugin..
    If direct link to file without being logged in wordpress download is denyed
    If direct link to file after loggin in wordpress file downloads as expected..
    BUT if try to download file with link generated with fileaway .htaccess is ignored and is always denyed access to download file

    Plugin Author thomstark

    (@thomstark)

    More info about your File Away setup. Are stats enabled or disabled. What does your shortcode look like.

    Thread Starter genjitech

    (@genjitech)

    without adding .htaccess to directory the only security files have is to make sure “Options +Indexes” is turned off, but if direct path is known file is basically public available

    Plugin Author thomstark

    (@thomstark)

    Where is this htaccess file located?

    Plugin Author thomstark

    (@thomstark)

    You know you can enable encrypted links in File Away, right? You just don’t want to use that feature?

    Thread Starter genjitech

    (@genjitech)

    root directory: wp install directory
    base directory 1: /public_html/secure-content/
    base url: genjitech.com (HTTPS)
    ———-
    Statistics are disabled
    —————-
    [Shortcode]
    [fileaway type=”table” showto=”administrator,insurance_company,safety_director” search=”yes” searchlabel=”Filter Data Below” mod=”no” redirect=”true” recursive=”on” only=”Accident-Safety” theme=”silver-bullet” heading=”Accident-Reports” hcolor=”blue” color=”blue” iconcolor=”blue”]

    Thread Starter genjitech

    (@genjitech)

    enable encrypted links is fine and plan on enabling this, but this doesnt fix the fact that with out .htaccess on the directory there is nothing in place to keep someone from just hotlinking the file as its open to the public..
    even with encrypted links its not that hard to view source and get the complete path

    Thread Starter genjitech

    (@genjitech)

    .htaccess
    tried in the /public_html/secure-content
    tried /public_html {modifying the main wordpress .htaccess}
    both yields same results

    Plugin Author thomstark

    (@thomstark)

    I can’t reproduce anything you’re describing. An htaccess file to protect files would normally go in the directory where the files are stored.

    If encryption is disabled, all File Away does is put the link on the page. There’s no difference between that and just manually typing a link to the file.

    Please demonstrate to me how you think it is easy to ” view source and get the complete path” with encrypted links enabled, because that’s counterintuitive to me, the plugin developer.

    You can have encrypted links enabled AND use an htaccess file to secure your files and you won’t have the problem you’re describing, which I can’t reproduce anyway.

    • This reply was modified 8 years, 6 months ago by thomstark.
    Thread Starter genjitech

    (@genjitech)

    ok to reproduct the problem
    add .htaccess file to directory you wish to secure add
    # These next two lines will already exist in your .htaccess file
    RewriteEngine On
    RewriteBase /
    # Add these lines right after the preceding two
    RewriteCond %{REQUEST_FILENAME} ^.*(doc|docx)$
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
    RewriteRule . – [R=403,L]
    visit page and click link
    Apache error| your are not allow by server configuration
    now load copy the link and past it directly in address bar and file downloads like magic

    Plugin Author thomstark

    (@thomstark)

    Yeah, nope. That’s what I did. I can’t reproduce your issue.

    The simplest way to secure files using File Away is to do this:

    [fileaway encryption=”true” type=”table” showto=”administrator,insurance_company,safety_director” search=”yes” searchlabel=”Filter Data Below” mod=”no” redirect=”true” recursive=”on” only=”Accident-Safety” theme=”silver-bullet” heading=”Accident-Reports” hcolor=”blue” color=”blue” iconcolor=”blue”]

    Then in the directories where you store your files, add an .htaccess file in each directory that just has two lines:

    order deny,allow
    deny from all

    Plugin Author thomstark

    (@thomstark)

    Here’s the issue:

    The htaccess you are using doesn’t actually prevent direct access to the file, it just prevents downloads. Try it with a jpg and you will see. But a doc file is forced as a download by browsers.

    If you use a direct link to the file (i.e., not using file away) and click on it, it will download, but if you right-mouse click and save, it will not download. Same thing in File Away except File Away tells all links to be downloaded, not opened in the browser. Opening the file in the browser actually bypasses your .htaccess file. YOU DON’T WANT THAT.

    Use the solution I provided in the comment above for legitimate security.

    Thread Starter genjitech

    (@genjitech)

    never mind as i have found the problem. i use wpmu domain mapping and after updating fileaway i can no long choose my mapped domain as base url. even if manual set it in db options always reset back to base network site domain
    site1.genjitech.com mapped as genjitech.com
    genjitech.com is not available as base url only site1.genjitech.com which breaks the wp cookie..

    do i need to open a new thread for mapped domain not available to choose as base?

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘directory security’ is closed to new replies.