如何拒绝访问其他用户上传的图片? [英] How to deny access to images uploaded by other user?
问题描述
在Web应用程序转换的图像我想拒绝其他用户的图像直接访问,我已经实现它在添加此code我主要的的.htaccess 文件:
In a web application to transform images I want to deny direct access to other user's images and I've achieve it adding this code at my main .htaccess file:
RewriteCond %{HTTP_COOKIE} !PHPSESSID=(.+) [OR,NC]
RewriteCond %{HTTP_COOKIE}:%{REQUEST_URI} ^PHPSESSID=(.*?);:(?!.*?/usuarios/\1).* [NC]
RewriteRule ^.*?/usuarios/.+?\.(gif|jpe?g|png|wbmp)$ - [R=403,L]
因此,当用户有自己的文件夹上传和转换图像,此规则将,如果你正在寻找该目录与 id_session ,以及相匹配的图像检查将抛出,如果它不匹配403响应
So, as users have their own folder to upload and transform images, this rule will check if you are looking for an image which directory matches with your id_session, and will throw a 403 response if it doesn't match.
这似乎做工精细,但如果任何用户连接的图像,并与其他用户的图像修改 SCR (假设他知道路径),则显示出图像
It seems to work fine, but if any user attach an image and change the scr with other user's image (assuming he knows the path), it is showing that image.
我怎么能prevent呢?
您可以检查在 http://itransformer.es
推荐答案
正如@大卫厚德说,这样的逻辑应在应用程序中实现,例如通过以下方式:
As says @David Houde, such logic should be implemented in the application, for instance in the following way:
-
被用户上传的图像将被存储在网络之外
站点根目录,因此他们不能直接使用URL访问,
The images uploaded by your users will be stored outside of the web site root directory, so they cannot be accessed directly using a URL,
您需要设置您的网站以处理虚拟URL(最简单的
这里是一个重写规则内部传递请求的URL为
参数一些PHP(或其他)脚本),
You need to setup your website to handle virtual URLs (the most simple here being a rewrite rule internally passing the request URL as parameter to some PHP (or whatever) script),
然后,在你的脚本,你将有充分的余地,以检查是否
该请求符合您政策,
Then, in your script you will have full latitude to check whether the request match your policy,
如果请求是合法的,你的脚本就能够打开
所请求的图像文件,并发送其作为Web服务器的回答内容。
And if the request is legitimate, your script will be able to open the requested image file and send its content as web server answer.
这篇关于如何拒绝访问其他用户上传的图片?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
