Security of files

smebberson · September 19, 2014, 12:26am

Just wanted to ask what is the best process to ensure files are secure and can’t be downloaded within FarCry 7.

We’ve determined that if you know an actual file name, you can access files despite the fact they’re living within the projects securefiles directory.

Is this the case with everyone or am I missing something? Are my rewrite rules wrong (I’ve pasted them in below)?

RewriteCond %{REQUEST_URI} !(^/farcry|^/webtop|^/flex2gateway|^/flashservices|^/CFIDE)($|/)
RewriteRule ^([a-zA-Z0-9\/\-\%:\[\]\{\}\|\;\<\>\?\,\*\!\@\#\$\ \(\)\^_`~]*)$ /index.cfm?furl=$1 [L,PT,QSA]

blair · September 19, 2014, 12:44am

In FarCry 7 we’ve introduced CDN configuration, which lets you change where files are stored. For example you can put something like this in _serverSpecificVarsAfterInit.cfm:

<cfset setLocation(name="privatefiles",cdn="local",fullpath="/some/path/outside/webroot") />

and FarCry will store and serve secure files from there.

In previous versions of FarCry (or if you don’t want to move the files), you need to enforce the security in the web server by blocking direct access to /farcry/projects/yourproject/securefiles

Blair

blair · September 19, 2014, 1:00am

Forgot to mention:

The “best practice” setup for FarCry is:

web server serves files from /farcry/projects/yourproject/www
Raio/ColdFusion mapping to /farcry
web server alias for /webtop -> /farcry/core/webtop

With this setup, nothing outside the www directory is accessible externally.

Blair

smebberson · September 19, 2014, 1:06am

Awesome, thanks blair. We’ll proceed with this.

smebberson · September 19, 2014, 1:30am

Hey Blair,

Okay, we seemingly have this working. We’ve added this to the _serverSpecificVarsAfterInit.cfm:

 <cfset application.fc.lib.cdn.setLocation(name="privatefiles", cdn="local", fullpath="/vagrant/secure-files") />

Then we we do:

 <cfset application.fc.lib.cdn.getLocation(name="privatefiles") />

We get the correct path back. So then I went ahead and dumped out application.path and noted the securefiles key value didn’t match.

Could you explain the relationship between ‘privatefiles’ and ‘securefiles’?

Thank you!

blair · September 19, 2014, 9:41am

The media paths in application.path are deprecated - I should probably remove them from core. As of 7 FarCry refers to every uploaded file in terms of “locations”.

Files uploaded with the file formtool are stored in the “privatefiles” and “publicfiles” locations, depending on whether the property has ftSecure="true" or not, image formtools put files in the “images” location, etc. Every file operation (should) be going through the application.fc.lib.cdn API. That goes for everything from checking if a file exists (ioFileExists) to getting a URL for serving a file (ioGetFileLocation).

If you need to do any file management in your own code, I recommend you also use that API. You’ll thank me if you ever have to move your media to S3 or a FTP CDN server.

Blair

smebberson · September 22, 2014, 10:46pm

Sounds good.

Should I raise a bug for deleting those paths from core? It would be great to see them removed if they’re not longer relevant.

modius · September 23, 2014, 12:26am

Please raise a ticket, thanks.