限制已授权的 php 用户访问文件 [英] Restrict file access to authorized php users

问题描述

我继承了一个具有明显安全漏洞的应用程序.

I've inherited an application with a glaring security hole.

它具有基于会话的安全性，但文件上传(特定于用户)没有任何安全措施，它们存储在公共文件树中.

It has session-based security, but file uploads (which are user specific) are not secured in any way and they are stored in the public file tree.

文件名不遵循任何约定，因此很难猜测，但数据是敏感的，因此我需要实施安全措施以防止未经授权的文件访问.

Filenames do not follow any convention as such, making them hard to guess, but the data is sensitive and thus I need to implement a security measure to prevent unauthorized file access.

移动文件的位置并不是一个真正的选项，所以我正在寻找一个 htaccess 解决方案来将请求转发到 php 处理程序脚本.

Moving the location of the files is not really an option, so I'm looking at a htaccess solution to forward requests to a php handler script.

有没有人有实施此类事情的经验或任何好的替代解决方案?.htaccess 语法的具体示例非常感谢，因为我在这方面苦苦挣扎.

Does anyone have experience in implementing this type of thing or any good alternative solutions? Specific examples of .htaccess syntax greatly appreciated, as I'm struggling in this area.

推荐答案

真的不明白为什么移动它们不是一种选择，因为将它们的请求推送到处理程序意味着它们的存储位置不再重要.但你就是现场的那个人.

Don't really understand why moving them isn't an option, since pushing requests for them to a handler means it no longer matters where they're stored. But you're the man on the scene.

.htaccess 看起来像:

.htaccess looks like:

RewriteEngine on
RewriteRule path/to/where/these/files/live/(.*) /handlerscript.php/$1

然后从 $_SERVER['PATH_INFO'] 中选取剩余的文件路径和名称.

Then you pick up the remaining file path and name from $_SERVER['PATH_INFO'].

这篇关于限制已授权的 php 用户访问文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！