I have membership website with a specific page per user with their own data. They can upload images to their own folder in wordpress uploads. There's a major security hole in this setup since anyone can fiddle with the url searching for other users images. I also don't have access to Apache .conf files. Currently the only form of security I have is generating long alfanumeric characters for the filename.
How can I keep uploaded member files only available to the user that uploaded them in the first place? My failed attempts at securing this are:
1. Adding .htaccess to the uploads directory with:
IndexIgnore *
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost\.com/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx) [NC]
RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx)$ http://disney.com/ [NC]
This is not secure enough since the user can still search for files inserting the url into
2. Moving wordpress uploads outside the webroot
add_filter('upload_dir', 'my_upload_dir');
$wp_upload = wp_upload_dir();
function my_upload_dir($wp_upload) {
$wp_upload['basedir'] = '/usr/home/myhiddendir/';
$wp_upload['baseurl'] = '../myhiddendir/';
$wp_upload['subdir'] = '';
$wp_upload['path'] = $wp_upload['basedir'] . $wp_upload['subdir'];
$wp_upload['url'] = $wp_upload['baseurl'] . $wp_upload['subdir'];
return $wp_upload;
}
Files are uploaded correctly via $wp_upload['basedir'] but wont allow me to show the images with $wp_upload['baseurl'].I either get:
net::ERR_NAME_NOT_RESOLVED
Warning: is_dir(): open_basedir restriction in effect. File(/) is not within the allowed path(s):
No comments:
Post a Comment