At least I assume that's what I need.

I have a website from which visitors can select a file and then request that
it be downloaded to them. This is driven by some html/PHP scripts. Each such
file is in its own folder on the website. Thus, they visit www.example.com,
follow the links to select a file, and it's downloaded.

But Safari at least will accept the following and download any of these files
directly, thus:

www.example.com/somefolder/somefile.zip

This presupposes that someone could guess what somefolder might be, but I'd
rather be able to exclude that possibility altogether by putting a .htaccess
file in each of the folders in question. Thing is, I want to allow one folder
to have such direct access, thus:

www.example.com/oneparticularfolder/somefile.zip

That way, if I'm debugging an issue with a user, I can make it easier for them
to download a debugging version in oneparticularfolder and telling them to use
that complete URL, and then empty that folder later once that debugging is
over.

Thanks for any suggestions.

--
Tim

TimS <timstreater@greenbee.net> wrote:
> At least I assume that's what I need.
>
> I have a website from which visitors can select a file and then request that
> it be downloaded to them. This is driven by some html/PHP scripts. Each such
> file is in its own folder on the website. Thus, they visit www.example.com,
> follow the links to select a file, and it's downloaded.
>
> But Safari at least will accept the following and download any of these files
> directly, thus:
>
> www.example.com/somefolder/somefile.zip
>
> This presupposes that someone could guess what somefolder might be, but I'd
> rather be able to exclude that possibility altogether by putting a .htaccess
> file in each of the folders in question. Thing is, I want to allow one folder
> to have such direct access, thus:
>
> www.example.com/oneparticularfolder/somefile.zip
>
> That way, if I'm debugging an issue with a user, I can make it easier for them
> to download a debugging version in oneparticularfolder and telling them to use
> that complete URL, and then empty that folder later once that debugging is
> over.
>
> Thanks for any suggestions.

I would put a completely blocking .htaccess in the top-level directory and
then another one in your 'oneparticularfolder' overruling the restrictions.

However, I wouldn't depend too much on htaccess for anything important. I'm
told it's not very secure.

On 31 Jan 2022 at 20:22:34 GMT, Chris <ithinkiam@gmail.com> wrote:

> TimS <timstreater@greenbee.net> wrote:
>> At least I assume that's what I need.
>>
>> I have a website from which visitors can select a file and then request that
>> it be downloaded to them. This is driven by some html/PHP scripts. Each such
>> file is in its own folder on the website. Thus, they visit www.example.com,
>> follow the links to select a file, and it's downloaded.
>>
>> But Safari at least will accept the following and download any of these files
>> directly, thus:
>>
>> www.example.com/somefolder/somefile.zip
>>
>> This presupposes that someone could guess what somefolder might be, but I'd
>> rather be able to exclude that possibility altogether by putting a .htaccess
>> file in each of the folders in question. Thing is, I want to allow one folder
>> to have such direct access, thus:
>>
>> www.example.com/oneparticularfolder/somefile.zip
>>
>> That way, if I'm debugging an issue with a user, I can make it easier for them
>> to download a debugging version in oneparticularfolder and telling them to use
>> that complete URL, and then empty that folder later once that debugging is
>> over.
>>
>> Thanks for any suggestions.
>
> I would put a completely blocking .htaccess in the top-level directory and
> then another one in your 'oneparticularfolder' overruling the restrictions.
>
> However, I wouldn't depend too much on htaccess for anything important. I'm
> told it's not very secure.

Thanks. Any idea which commands to use? Example websites seem not to be too
helpful - they don't explain anything.

--
Tim

In article <j5qqm0FivjbU1@mid.individual.net>,
TimS <timstreater@greenbee.net> wrote:
>This presupposes that someone could guess what somefolder might be, but I'd
>rather be able to exclude that possibility altogether by putting a .htaccess
>file in each of the folders in question.

There's no secure way to prevent someone downloading a file they know
(or can guess) the URL of, if they can download it from that URL by
following a link.

If you're not concerned about it being secure, it's possible to test
the "referer" - i.e. the page that the link was on - in a .htaccess
file if the server is configured to allow that.

-- Richard

On 31 Jan 2022 at 20:50:56 GMT, Richard Tobin <Richard Tobin> wrote:

> In article <j5qqm0FivjbU1@mid.individual.net>,
> TimS <timstreater@greenbee.net> wrote:
>> This presupposes that someone could guess what somefolder might be, but I'd
>> rather be able to exclude that possibility altogether by putting a .htaccess
>> file in each of the folders in question.
>
> There's no secure way to prevent someone downloading a file they know
> (or can guess) the URL of, if they can download it from that URL by
> following a link.

I was probably not being quite accurate. The actual downloading is done thus:

header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize ($file));

ob_clean ();
flush ();
readfile ($file);

--
Tim

TimS <timstreater@greenbee.net> wrote:

> At least I assume that's what I need.
>
> I have a website from which visitors can select a file and then request that
> it be downloaded to them. This is driven by some html/PHP scripts. Each such
> file is in its own folder on the website. Thus, they visit www.example.com,
> follow the links to select a file, and it's downloaded.
>
> But Safari at least will accept the following and download any of these files
> directly, thus:
>
> www.example.com/somefolder/somefile.zip
>
> This presupposes that someone could guess what somefolder might be, but I'd
> rather be able to exclude that possibility altogether by putting a .htaccess
> file in each of the folders in question. Thing is, I want to allow one folder
> to have such direct access, thus:
>
> www.example.com/oneparticularfolder/somefile.zip
>
> That way, if I'm debugging an issue with a user, I can make it easier for them
> to download a debugging version in oneparticularfolder and telling them to use
> that complete URL, and then empty that folder later once that debugging is
> over.
>
> Thanks for any suggestions.

Store the file crudely encoded by some simple algorithm and use php to
decode it on download?

--
~ Liz Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk

On 31/01/2022 20:45, TimS wrote:
> On 31 Jan 2022 at 20:22:34 GMT, Chris <ithinkiam@gmail.com> wrote:
>
>> TimS <timstreater@greenbee.net> wrote:
>>> At least I assume that's what I need.
>>>
>>> I have a website from which visitors can select a file and then request that
>>> it be downloaded to them. This is driven by some html/PHP scripts. Each such
>>> file is in its own folder on the website. Thus, they visit www.example.com,
>>> follow the links to select a file, and it's downloaded.
>>>
>>> But Safari at least will accept the following and download any of these files
>>> directly, thus:
>>>
>>> www.example.com/somefolder/somefile.zip
>>>
>>> This presupposes that someone could guess what somefolder might be, but I'd
>>> rather be able to exclude that possibility altogether by putting a .htaccess
>>> file in each of the folders in question. Thing is, I want to allow one folder
>>> to have such direct access, thus:
>>>
>>> www.example.com/oneparticularfolder/somefile.zip
>>>
>>> That way, if I'm debugging an issue with a user, I can make it easier for them
>>> to download a debugging version in oneparticularfolder and telling them to use
>>> that complete URL, and then empty that folder later once that debugging is
>>> over.
>>>
>>> Thanks for any suggestions.
>>
>> I would put a completely blocking .htaccess in the top-level directory and
>> then another one in your 'oneparticularfolder' overruling the restrictions.
>>
>> However, I wouldn't depend too much on htaccess for anything important. I'm
>> told it's not very secure.
>
> Thanks. Any idea which commands to use? Example websites seem not to be too
> helpful - they don't explain anything.

Here's an example of a very basic one I created years ago to get you
started (edited):

# Don't allow a folder listing in the browser - if the user
# doesn't provide a full path to a file they will get a 404 IIRC
Options -Indexes
AuthName "My Secure Area"
# location of passwords file and group definitions
AuthUserFile /path/to/password/file/.htpasswd
AuthGroupFile /path/to/groups/file/.htgroups
AuthType Basic
# limit access to only those users from the password file
# that also appear in the groups file under "allowedGroup"
Require group allowedGroup

Dummy .htpasswd file:
admin:<hashed pw>
Alice:<hashed pw>
Bob:<hashed pw>

Dummy .htgroups file:
allowedGroup: Alice Bob

There's more info in 'man htpasswd'.

All the above assumes that htaccess has been enable server-side. Which
is often where the confusion arises as all commands can be defined or
limited server-side and/or client side. The rules are exactly the same
on either case.

It's fiddly and easy to lock everyone out by mistake so lots of trial
and error required.

This site seems pretty approachable:
http://www.htaccess-guide.com/

On 31 Jan 2022 at 20:22:34 GMT, "Chris" <ithinkiam@gmail.com> wrote:

>
> However, I wouldn't depend too much on htaccess for anything important. I'm
> told it's not very secure.

Can you elaborate on this point Chris?

--
jeremy

If you want to force a particular file to download rather than display
in a browser the simplest solution is to zip it. A browser will
download any file it doesn't understand, and that includes .zip files.

However a more elegant way is to place all the files you want them to
download in one folder, and use .htaccess to force them to download.
Note that this will only work if your hosting service allows it - some
may not.

You have to place your files for download in a particular folder, and
add an 'htaccess' file to it to force downloads of any file in that
folder. This will only work if your web hosting company allows it -
some may not.

Using a plain text editor such as TextEdit - in plain text mode, not
Rich Text which is often the default - create a file called
htaccess.txt and copy this into it:

<Files *.*>
ForceType applicaton/octet-stream
</Files>

(I know 'applicaton' looks wrong, but it works: so should 'application'
but when I tried that it worked in FireFox but not in Safari... go
figure...)

Using an FTP client, upload this file to the folder. Once it's there,
use the client to change its name: firstly remove the .txt from the
end, then add a period on the beginning, so that it looks like this:

..htaccess

You will get a warning that this will make the file invisible - agree
to this. The file will disappear when you refresh the FTP client;
however it will still be there and you will find that links to files in
that folder cause a download.

Of course if you want to be able to display this file as well you will
have to use a duplicate in another folder; though oddly enough .mp3
files in an embedded player will work.

On 02/02/2022 15:50, jeremy wrote:
> On 31 Jan 2022 at 20:22:34 GMT, "Chris" <ithinkiam@gmail.com> wrote:
>
>>
>> However, I wouldn't depend too much on htaccess for anything important. I'm
>> told it's not very secure.
>
> Can you elaborate on this point Chris?

Based on what I've been told I think it's because it doesn't require
HTTPS so any non-HTTP connections could be sniffed for passwords etc or
hijacked to capture downloaded files.

Nowadays anything even slightly private or secure needs to be on an
HTTPS connection with proper credentials checking.

There may be other reasons.

On 2 Feb 2022 at 15:50:12 GMT, "jeremy" <jeremy0505@gmail.com> wrote:
>
A secure way to store items/files and provide secure downloads. Use Amazon S3
buckets.
I've done this for clients several times in the past. The Amazon service
has/had a free tier, not sure if it still is but my old clients services are
stll available and I have never paid a cent.
Caveat here is the clients websites were Wordpress and I used the free WP
eStore plugin for access to digital down loads.
The website displays a simple signup form requiring a name and email address.
The addressee receives an email containing an encrypted link to the required
file valid for 24 hours and it's a one time use.
Maybe too complex for your requirement but it's a secure method, and if it's
still free, a bargain.

--
Every time someone sings "It was 20 years ago today, Sergeant Pepper taught the band to play" the time line shifts to preserve the truth of the statement.

On 2 Feb 2022 at 17:06:56 GMT, "Chris" <ithinkiam@gmail.com> wrote:

> On 02/02/2022 15:50, jeremy wrote:
>> On 31 Jan 2022 at 20:22:34 GMT, "Chris" <ithinkiam@gmail.com> wrote:
>>
>>>
>>> However, I wouldn't depend too much on htaccess for anything important. I'm
>>> told it's not very secure.
>>
>> Can you elaborate on this point Chris?
>
> Based on what I've been told I think it's because it doesn't require
> HTTPS so any non-HTTP connections could be sniffed for passwords etc or
> hijacked to capture downloaded files.
>
That's true though Chris generally if you're not running under https - am
genuinely interested to understand if .htaccess files have some inherent
security flaw.

--
jeremy

On 3 Feb 2022 at 18:17:53 GMT, "jeremy" <jeremy0505@gmail.com> wrote:

> On 2 Feb 2022 at 17:06:56 GMT, "Chris" <ithinkiam@gmail.com> wrote:
>
>> On 02/02/2022 15:50, jeremy wrote:
>>> On 31 Jan 2022 at 20:22:34 GMT, "Chris" <ithinkiam@gmail.com> wrote:
>>>
>>>>
>>>> However, I wouldn't depend too much on htaccess for anything important. I'm
>>>> told it's not very secure.
>>>
>>> Can you elaborate on this point Chris?
>>
>> Based on what I've been told I think it's because it doesn't require
>> HTTPS so any non-HTTP connections could be sniffed for passwords etc or
>> hijacked to capture downloaded files.
>>
> That's true though Chris generally if you're not running under https - am
> genuinely interested to understand if .htaccess files have some inherent
> security flaw.

htaccess can be used by hackers if they get access to it, and generally it's
not difficult to find.
If you're using https, and these days it's almost universal, then you should
be ok.
Just make sure any password files are not publicly accessible.

--
All truly great thoughts are conceived while walking

On 03/02/2022 18:17, jeremy wrote:
> On 2 Feb 2022 at 17:06:56 GMT, "Chris" <ithinkiam@gmail.com> wrote:
>
>> On 02/02/2022 15:50, jeremy wrote:
>>> On 31 Jan 2022 at 20:22:34 GMT, "Chris" <ithinkiam@gmail.com> wrote:
>>>
>>>>
>>>> However, I wouldn't depend too much on htaccess for anything important. I'm
>>>> told it's not very secure.
>>>
>>> Can you elaborate on this point Chris?
>>
>> Based on what I've been told I think it's because it doesn't require
>> HTTPS so any non-HTTP connections could be sniffed for passwords etc or
>> hijacked to capture downloaded files.
>>
> That's true though Chris generally if you're not running under https - am
> genuinely interested to understand if .htaccess files have some inherent
> security flaw.

As Jeremy says from reading around a bit, it seems the issue is that
they can make a hack much more dangerous as .htaccess can be subverted
to do quite a lot of damage.

With https I don't think there's anything inherently insecure with htaccess.