Redirect.

Discuss practical ways rearrange URLs using mod_rewrite.

Redirect.

Postby Bjoerck » Sat Mar 12, 2005 2:45 am

Well, i have this upload script on my homepage i want to secure.
Then, i want to do this >
If someone is trying to access a file directly in /uploaded/ directory on my webhotel.
E.g. If they type: http://www.mydomain.com/uploaded/hacker.php in their address line. They should be redirected to: http://www.madsass.dk/upload/force.php?file=hacker.php

Not really redirected, but just go to that address without the address line is changing.

Hope you understand my question :)
Bjoerck
 

Postby Bjoerck » Sat Mar 12, 2005 2:47 am

It's because. In my force.php, i have a php script that are forceing files to be downloaded so people with bad intentions can't open e.g. a php file on my webhotel.
Bjoerck
 

Postby Bjoerck » Sat Mar 12, 2005 2:53 am

Yeah. I've made the code by myself.
RewriteRule ^uploaded/(.*)$ /upload/force.php?file=$1 [R=301,L]
Bjoerck
 

Postby Bjoerck » Sat Mar 12, 2005 2:56 am

Noo. It won't recognize the files now.
I just want to redirect the file when it's used in the address line.
Not when my download-forcing script is trying to read the file.
Bjoerck
 

Postby Caterham » Sat Mar 12, 2005 5:48 am

You cannot check if someone called your file directly. The referer is empty if someone calls a page directly, but the referer would be also empty for serveral other reasons.

You have to check this with sessions.

is trying to read the file.
mod_rewrite is not involved if you open the file i.e. in PHP with fopen() and fread().
Caterham
 
Posts: 690
Joined: Fri Dec 10, 2004 1:30 pm

Postby Guest » Sat Mar 12, 2005 6:01 am

Code: Select all
<?
$filename = $_GET['file'];

if(ini_get('zlib.output_compression')) {
   ini_set('zlib.output_compression', 'Off');
}

$file_extension = strtolower(substr(strrchr($filename,"."),1));

if($filename == "") {
   echo "<html>\n";
   echo "<title>Download</title>\n";
   echo "<body>\n";
   echo "<b>FEJL:</b> Fil til download er ikke valgt.\n";
   echo "</body>\n";
   echo "</html>\n";
   exit;
}

elseif(!file_exists("http://www.madsass.dk/uploaded/".$filename)) {
   echo "<html>\n";
   echo "<title>Download</title>\n";
   echo "<body>\n";
   echo "<b>FEJL:</b> Filen blev ikke fundet.\n";
   echo "</body>\n";
   echo "</html>\n";
   exit;
}

switch($file_extension){
   case "pdf": $ctype="application/pdf"; break;
   case "exe": $ctype="application/octet-stream"; break;
   case "zip": $ctype="application/zip"; break;
   case "doc": $ctype="application/msword"; break;
   case "xls": $ctype="application/vnd.ms-excel"; break;
   case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
   case "gif": $ctype="image/gif"; break;
   case "png": $ctype="image/png"; break;
   case "jpeg":
   case "jpg": $ctype="image/jpg"; break;
   default: $ctype="application/force-download";
}

header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=".basename($filename).";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("http://www.madsass.dk/uploaded/".$filename);
exit();
?>

This i my code. It's probably affected by the .htaccess script :/
Guest
 

Postby Madsass » Sat Mar 12, 2005 6:06 am

Oh. It's working now. Missed a slash :)
Madsass
 


Return to Friendly URLs with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 19 guests

cron