PHP: Hiding a link to binary file for download

Asheville Joe josephj at main.nc.us
Wed Aug 20 23:45:06 EDT 2003 

Just got this on another list.  Like Bob was saying ...

Joe

-------- Original Message --------
Subject: 	[WNCLUG] htaccess trick
Date: 	Tue, 19 Aug 2003 22:38:28 -0700 (PDT)
From: 	Atom 'Smasher' <atom at suspicious.org>
Reply-To: 	wnclug at wnclug.org
To: 	WNC_LUG <wnclug at wnclug.org>



i just figured out a cool trick using a .htaccess file....

i'm not going to get into the reasons why i often avoid sending email
attachments, but suffice it to say i have several reasons. so, what i've
used is a directory in one of my domains to serve as a collection of files
available for people who know to look for them.

example: if i want to let people peek at this file, i give them a URL,
like
http://smasher.suspicious.org/tmp/energy_crisis_small.png
and no password is required.

of course, some things in this directory are only meant to be seen by some
people or groups, not everyone; so i don't want the directory contents to
be brows-able.

up until a few minutes ago, i had to decide between inconvenience and
insecurity to get a quick listing of everything within the directory.

what i'd been wanting to do is allow any file within the directory to be
accessable without a password, but require a password to browse the
directory contents.

the .htaccess file works on all files under it in the tree. so, normally,
if i require a password to view the directory contents, then a password
would also be needed to view any file (or subdirectory) within that
directory. this means that if i gave out a password to download a file,
then the authenticated user can also view all directory contents; not what
i want to do.

this probably makes little sense, so far, but what i've done is written a
.htaccess file that will allow files to be downloaded without a password,
but a password is required to view directory contents.

in other words, you can open
http://smasher.suspicious.org/tmp/energy_crisis_small.png
but not
http://smasher.suspicious.org/tmp/
since i know the password, i can see all directory contents.

unless one knows (or can guess) the name of a file, this works fine. it's
security by obscurity, but for some cases it's good enough. anything that
can get me into too much trouble just has to not be available there.

here's the .htaccess file:

##############################
<FilesMatch "^index\.">
	AuthType	Basic
	AuthName	"Atom's tmp directory"
	AuthUserFile	/usr/home/atom/smasher.suspicious.org/tmp/.htpasswd
	Require 	valid-user
</FilesMatch>
Options	+Indexes

## this will only display directory contents
## after a successful login
##############################


	...atom

----------------Void-If-Detached----------------
http://smasher.suspicious.org/fs1r  Yamaha FS1R

	"How often, or on what system, the Thought Police plugged in
	 any individual wire was guesswork. It was even conceivable
	 that they watched everybody all the time. But at any rate,
	 they could plug in your wire whenever they wanted to."
		-- George Orwell, "1984"

More information about the nflug mailing list