Download link and hash to prevent unauthorized downloading
Permalink 1 user found helpful
Ok, Conrete5:s download_file url is fine add, but I noticed that user is able to download all files in "File Manager" just by changing the "file id" in the url.
example.
If we had some download link for lets say for "User manual.pdf", the automated download link would be something like this:
concrete5.4.2.2/index.php/download_file/view/23/106/
I noticed that it actually very easy to check what else there've been uploaded to the file manager just by changing the file's id at the url, like this:
concrete5.4.2.2/index.php/download_file/view/1/106/
concrete5.4.2.2/index.php/download_file/view/2/106/
concrete5.4.2.2/index.php/download_file/view/3/106/
...
So, I think there should be some kind of "protection hash" to harden unauthorized file downloading etc.
concrete5.4.2.2/index.php/download_file/view/23/106/0b3f3842a5b2c79a07c20695462aeb87
example.
If we had some download link for lets say for "User manual.pdf", the automated download link would be something like this:
concrete5.4.2.2/index.php/download_file/view/23/106/
I noticed that it actually very easy to check what else there've been uploaded to the file manager just by changing the file's id at the url, like this:
concrete5.4.2.2/index.php/download_file/view/1/106/
concrete5.4.2.2/index.php/download_file/view/2/106/
concrete5.4.2.2/index.php/download_file/view/3/106/
...
So, I think there should be some kind of "protection hash" to harden unauthorized file downloading etc.
concrete5.4.2.2/index.php/download_file/view/23/106/0b3f3842a5b2c79a07c20695462aeb87
I second this. I think i'm going to have to create passwords for every file (or remove read permissions from normal users), and then use the file system URL.
I had to ditch the "cID" -parameter at download_file.php when it was used only at "trackDownload". I placed my "security hash"-function to prevent downloading (and cleaned hex -base to base62 to clean up ).
It was actually quite easy procedure. I might clean up the code when I have time to give it for free use, now I'm battling with deadline with "mediabank" -site, where unauthorized download are not tolerated.
It was actually quite easy procedure. I might clean up the code when I have time to give it for free use, now I'm battling with deadline with "mediabank" -site, where unauthorized download are not tolerated.
