How protect files in var directory?

Wednesday 01 August 2007 11:54:27 pm - 3 replies

Modified on Wednesday 01 August 2007 11:54:48 pm by Tomasz Jakubowski

3 replies

Author	Message
André R.	Thursday 02 August 2007 12:37:39 am Remove the rewrite rules that lets users download images directly from var. It will be a lot slower, but it will check access rights on every image request. eZ Online Editor 5: http://projects.ez.no/ezoe \|\| eZJSCore (Ajax): http://projects.ez.no/ezjscore \|\| eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription @: http://twitter.com/andrerom
Tomasz Jakubowski	Thursday 02 August 2007 2:47:05 pm Thanks for your response but I still have a problem with that. I remove the rewrite rules for var directory. But now I can't see any images on my site. The same behaviour for admin user and anonymous user. When I put direct image link (like: http://example.com/var/siteaccess/storage/images/folder/zdjecie/1579-1-pol-PL/zdjecie_large.jpg) to browser then I get eZ error page with error message: The requested module var could not be found. If there any special configuration options? My configuration of eZ Publish - virtual host. My .htaccess file: DirectoryIndex index.php <FilesMatch "(index\.php\|\.(gif\|html\|css\|jpe?g\|png\|ico\|js\|asf\|avi\|wmv\|swf\|xsl\|jar\|pdf\|doc))$"> order allow,deny allow from all Options FollowSymLinks Includes ExecCGI </FilesMatch> RewriteEngine on RewriteBase / # first we rewrite the root dir to the handling php script RewriteRule ^$ index.php [L] RewriteRule ^index\.html$ index.php [L] # exclude here directories or files eg. your webmail, phpadsnew, pphlogger #Rewriterule ^var/storage/.* - [L] #Rewriterule ^var/[^/]+/storage/.* - [L] #RewriteRule ^var/cache/texttoimage/.* - [L] #RewriteRule ^var/[^/]+/cache/texttoimage/.* - [L] Rewriterule ^design/[^/]+/(stylesheets\|images\|javascript)/.* - [L] Rewriterule ^share/icons/.* - [L] Rewriterule ^extension/[^/]+/design/[^/]+/(stylesheets\|images\|javascripts?)/.* - [L] Rewriterule ^packages/styles/.+/(stylesheets\|images\|javascript)/[^/]+/.* - [L] RewriteRule .* index.php [L]
André R.	Friday 03 August 2007 5:30:24 am Sorry for giving you wrong advice, seems like only files (as in word, pdf etc) can be server like this true content/download. Images are protected in the way that if you don't have access to it, you will get text saying "you don't have access to this image" instead of the image. So basically you only get the link if you have access, given that you use the ez templates for generating the url / image tag. eZ Online Editor 5: http://projects.ez.no/ezoe \|\| eZJSCore (Ajax): http://projects.ez.no/ezjscore \|\| eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription @: http://twitter.com/andrerom

Author

Message

Thursday 02 August 2007 12:37:39 am

Remove the rewrite rules that lets users download images directly from var.
It will be a lot slower, but it will check access rights on every image request.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Tomasz Jakubowski

Thursday 02 August 2007 2:47:05 pm

Thanks for your response but I still have a problem with that.

I remove the rewrite rules for var directory. But now I can't see any images on my site. The same behaviour for admin user and anonymous user. When I put direct image link (like: http://example.com/var/siteaccess/storage/images/folder/zdjecie/1579-1-pol-PL/zdjecie_large.jpg) to browser then I get eZ error page with error message: The requested module var could not be found.

If there any special configuration options?

My configuration of eZ Publish - virtual host.
My .htaccess file:

DirectoryIndex index.php

<FilesMatch "(index\.php|\.(gif|html|css|jpe?g|png|ico|js|asf|avi|wmv|swf|xsl|jar|pdf|doc))$">
order allow,deny
allow from all
Options FollowSymLinks Includes ExecCGI
</FilesMatch>

RewriteEngine on

RewriteBase /

# first we rewrite the root dir to the handling php script
RewriteRule ^$ index.php [L]
RewriteRule ^index\.html$ index.php [L]

# exclude here directories or files eg. your webmail, phpadsnew, pphlogger
#Rewriterule ^var/storage/.* - [L]
#Rewriterule ^var/[^/]+/storage/.* - [L]
#RewriteRule ^var/cache/texttoimage/.* - [L]
#RewriteRule ^var/[^/]+/cache/texttoimage/.* - [L]
Rewriterule ^design/[^/]+/(stylesheets|images|javascript)/.* - [L]
Rewriterule ^share/icons/.* - [L]
Rewriterule ^extension/[^/]+/design/[^/]+/(stylesheets|images|javascripts?)/.* - [L]
Rewriterule ^packages/styles/.+/(stylesheets|images|javascript)/[^/]+/.* - [L]

RewriteRule .* index.php [L]

André R.

Friday 03 August 2007 5:30:24 am

Sorry for giving you wrong advice, seems like only files (as in word, pdf etc) can be server like this true content/download.

Images are protected in the way that if you don't have access to it, you will get text saying "you don't have access to this image" instead of the image. So basically you only get the link if you have access, given that you use the ez templates for generating the url / image tag.

You must be logged in to post messages in this topic!