CODEWITHSUNDEEP
phpfile-get-contents
Marco
Marco

Reputation: 131

Session Authentication when using file_get_contents in PHP

Downloads in my project are protected by a PHP download script and session authentication.

On TCPDF generation i use file_get_contents and the script below to get the images and generate the pdf.

stream_context_create send the header PHPSESSID but there is still no authentication.

pdfexport.php:

    $opts = array( 'http'=>array( 'method'=>"GET",
                  'header'=>"Accept-language: de\r\n" .
                  "Cookie: ".session_name()."=".session_id()."\r\n" ) );
    $context = stream_context_create($opts);
    session_write_close();  

foreach($data['we_files'] as $we_file){ 

    $getimage1 = file_get_contents( URLROOT . "/file.php?path=" .$we_file->image, false, $context);
    $image1_name = tempnam("/tmp", $we_file->image);
    file_put_contents($image1_name, $getimage1);
    $image1_image = new Imagick($image1_name);
    $image1_image->setImageCompression(imagick::COMPRESSION_JPEG);
    $image1_image->setImageCompressionQuality(100);
    $image1_image->thumbnailImage(500, 0);
    $image1 = '@'.base64_encode($image1_image);

echo $image1;
}

file.php

$path = $_GET["path"];
$search = 'uploads' ;
$pathnew = str_replace($search, '', $path) ;

header('X-Accel-Redirect: /uploads/' . $pathnew);
header('Content-Type:');

Imagick error :

Fatal error: Uncaught ImagickException: no decode delegate for this image format `' @ error/constitute.c/ReadImage/509

Debug:

Warning: file_get_contents(https://domain.de/file.php?path=uploads/481/8979fc24e116c4577a44424a8814c79b0d5c73d9-19-03-2019-08-28-11-SA-150.jpg): failed to open stream: HTTP request failed! HTTP/1.1 401 Unauthorized in /var/www/clients/...

// DIE(print_r($opts));
Array
(
    [http] => Array
        (
            [method] => GET
            [header] => Accept-language: de
            Cookie: PHPSESSID=5krl856uibhugaf6p6n6hluufq

        )

)
1

//DIE(print_r($_COOKIE));
    Array(
     [PHPSESSID] => 5krl856uibhugaf6p6n6hluufq
    )
    1

Upvotes: 0

Views: 399

Answers (1)

Joni
Joni

Reputation: 111329

You're essentially trying to spoof the user session: perform an action pretending you're the user when you're actually a (potentially malicious) third party. If your sessions are set up securely, that won't work.

What you should do instead is verify the users' access permissions in code and read the image through the file system.

An alternative is creating a more complex system where services authenticate themselves against the back end, and pass in information that says "this user has authorized me to do this for them"

Upvotes: 1

Related Questions