Block file download via PHP script

2

Hello, I'm having trouble downloading some files. I suspect someone on the team is 'inputting' a php script that downloads files from the server (such as bd configurations in production).

I wonder if it is possible to block the download via script. I've already blocked direct access through the url ( link ) and the permissions are read only to the apache user. However, when I run the code below, I can download the file and view its contents.

Here is an example code I wish to inhibit:

$arquivo = "path/file.php";
header("Content-Type: " . $tipo); 
header("Content-Length: " . filesize($arquivo)); 
header("Content-Disposition: attachment; filename=" . basename($arquivo));

I've done a lot of research and only found out how to block direct access, however with the above code you can download the file.

Ps: I currently need to block a single file.

    
asked by anonymous 03.08.2018 / 19:28

1 answer

0

If I understand your question correctly, you are afraid that someone on your team is intentionally putting security holes in your application that allow outside access to sensitive information. If this is the case has little what can be done at the code level. You can try to protect the file or information in some way, but the subject can make it available from another. What you need to do is improve your development, review and deploy process and find out who is doing it, if it's ever happening, and remove it from the team. Depending on the size of the team, start reviewing everything it produces before putting it on the air, this way you can find the problem.

By default, when you put the application in the air the source code will only be available for download if you do not properly set up the php module in the webserver or if some failure occurs, which in some cases causes the webserver to return the source. Usually this is resolved by not leaving the php code in the public folder (/ var / www / html, for example).

    
22.10.2018 / 12:47