How to prevent direct access folder and file through URL

shantanusingh · June 20, 2022, 2:57pm

Hello,
How to prevent direct access folder and file through URL. My application permission is 755 but if we access through URL (https://domain/public/site/images/folder/abs.jpg) then it will directly accessible. I want prevent this type of accessing.

If we use .htaccess and bellow mentioned code then home page unable to display journal image.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.your-domain.com/.$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.your-domain.com$ [NC]
RewriteRule ..(wav|swf|jpg|jpeg|gif|png|bmp|js|css)$ - [F,NC,L]

One user try bellow mentioned image.
epubs.icar.gov.in

I think file and image name must be renamed during upload.

dagosalas · June 20, 2022, 8:38pm

Hi!
This post talks about this topic, maybe it can help you.

shantanusingh · June 21, 2022, 4:56am

Only this was helpful but if we use this link Need help for hacking problem in OJS - #4 by asmecher then feature is disabled.
I think this is not a permanent solution.

dagosalas · June 22, 2022, 10:22pm

I think there are two solutions that you can implement and that they recommend in his post:

; The maximum allowed size in kilobytes of each user's public files
; directory. This is where user's can upload images through the
; tinymce editor to their bio. Editors can upload images for
; some of the settings.
; Set this to 0 to disallow such uploads.
public_user_dir_size = 5000

And the Control Public Files plugin (It’s available in the Plugin Gallery)

asmecher · June 23, 2022, 3:48pm

Hi all! We are soliciting feedback and proposals for hacking claims via image uploads on this Github discussion. Feedback would be welcome.

Regards,
Alec Smecher
Public Knowledge Project Team