How to deny access to images uploaded by other user?

独自空忆成欢 提交于 2020-01-05 04:36:07

问题


In a web application to transform images I want to deny direct access to other user's images and I've achieve it adding this code at my main .htaccess file:

RewriteCond %{HTTP_COOKIE} !PHPSESSID=(.+) [OR,NC]
RewriteCond %{HTTP_COOKIE}:%{REQUEST_URI} ^PHPSESSID=(.*?);:(?!.*?/usuarios/\1).* [NC]
RewriteRule ^.*?/usuarios/.+?\.(gif|jpe?g|png|wbmp)$ - [R=403,L]

So, as users have their own folder to upload and transform images, this rule will check if you are looking for an image which directory matches with your id_session, and will throw a 403 response if it doesn't match.

It seems to work fine, but if any user attach an image and change the scr with other user's image (assuming he knows the path), it is showing that image.

How could I prevent it?

You can check at http://itransformer.es


回答1:


As says @David Houde, such logic should be implemented in the application, for instance in the following way:

  1. The images uploaded by your users will be stored outside of the web site root directory, so they cannot be accessed directly using a URL,

  2. You need to setup your website to handle virtual URLs (the most simple here being a rewrite rule internally passing the request URL as parameter to some PHP (or whatever) script),

  3. Then, in your script you will have full latitude to check whether the request match your policy,

  4. And if the request is legitimate, your script will be able to open the requested image file and send its content as web server answer.



来源:https://stackoverflow.com/questions/19985278/how-to-deny-access-to-images-uploaded-by-other-user

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!