Friday, July 22, 2022

[FIXED] How to allow public or private downloads of static files with PHP 5.4 Web Server?

      , , , ,      No comments   

Issue

I'm using Silex/Symfony 2 framework. Users may upload either private (web/assets/uploads/*.*) and public documents (app/uploads/*.*), uploaded file is moved to the right folder with a sanitized name, and a new record is created in the upload table.

+-app/
| +-.htaccess                 <-- Deny from all
| +-uploads/                  <-- private upload folder
|   +-private_upload.pdf      <-- private document
+-web/
  +-index.php                 <-- front controller
  +-assets/
  | +-img/
  | +-css/
  | +-js/
  | +-uploads/                <-- public upload folder
        +-public_document.pdf <-- public document

Assets like images and css uploads should be served as usual, i.e. a direct link to the filename:

<img src="/web/assets/img/logo.png" />

Apache configuration idea (production environment)

Files in private or public upload folders should be served using a controller for getting the sanitized name and checking permissions.

Right now all requests (for files that don't exist) passes through the front controller index.php:

<IfModule mod_rewrite.c>
    Options -MultiViews

    RewriteEngine On
    RewriteBase /web
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [QSA,L]
</IfModule>

Requests for app/* are denied using .htaccess file. Is this correct and safe?

PHP 5.4 Web Server issue (development environment)

In my index.php I've the following code:

$filename = __DIR__.preg_replace('#(\?.*)$#', '', $_SERVER['REQUEST_URI']);

if (php_sapi_name() === 'cli-server' && is_file($filename)) {
    return false;
}

If a request is for a filename and (the file actually exists) index.php returns false, allowing the PHP 5.4 Web Server to serve the file statically.

The problem is that those lines won't allow me to catch routes like /files/private_document.pdf, managed with my FilesController class:

$controllers->get('/files/{file}', 'file_controller:serveAction')
    ->assert('file', '.*')
    ->bind('file_serve');

Solution

if(php_sapi_name() === 'cli-server') {
    if(is_file(__DIR__.preg_replace('#(\?.*)$#', '', $_SERVER['REQUEST_URI']))) {
        return false;
    }
}

The solution for PHP 5.4 web server, along with starting the server itself with:

php -S localhost: 80 -t /path/to/web /path/to/web/index.php

This way, if /css/style.css exists it will be served statically, but /files/dynamic.css will pass through the front controller.



Answered By - gremo
Answer Checked By - Marilyn (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...