Level 24
public function get_file(Request $request)
{
// if the user doesn't have permission, do something.... ??
return response('')
->header('X-Accel-Redirect', $pathToFile);
}
1 like
Dec 16, 2022
5
Level 8
Preventing access to URLs from GET requests sent by img tags
Hello, I am not sure if this is the job for the backend(Laravel) or the server(nginx) in my case:
I have a JavaScript code that appends images with src URL to a Controller method that sends nginx X-Accel headers (to access protected internal folders):
<img src="get_file?path=/protected_folder/image.jpg">
Now when the page loads, all the images send GET requests to the get_file URL which in turn goes to the Controller method that sends the X-Accel header back:
public function get_file(Request $request)
{
return response('')
->header('X-Accel-Redirect', $pathToFile);
}
What's working is that now users can't access to the protected folder via the URL at http://example.com/protected_folder/image.jpg but they can simply copy the URL with the get_file method in the URL and it returns the image:
http://example.com/get_file?path=/protected_folder/image.jpg
And if I copy paste this one, it does show the image.
Is there a way to add some sort of validation via Laravel so I will get some token to the get_file method and will only return the image if this token exists (Which will be only from the page that loads the images). Or, that's a job for nginx as well?
Level 8
@newbie360 thanks, that's probably what I will use. I was just wondering if it can affect performance when many images are loaded and so let the server do it instead somehow because I think that every call will involve a DB query like Auth::user()->can...
(although I use pagination/infinite scroll so I'm just exaggerating).
I'll just use it for now. Thank you
Level 24
@Ligonsker you may try use middleware, so redirect before it enter to controller
and you also need to test if the user add request header can bypass you logic ?
1 like
Level 8
@newbie360 thanks.
Can you explain why middleware will help if the first thing in the controller would be the authentication anyway?
Also can you give example of bypassing my logic with headers? I didn't understand how they can bypass it but I want to understand to prevent it
Level 24
@Ligonsker sorry for the late reply, i'm playing the package https://splade.dev/ ;)
someone pointed out can use Gate / Policy or something else in other post
i mean since we don't know what the users will do, just make sure your logic is correct, check again variable return type, if the user send the same header can't pass your logic is good enough, sorry my english not good ;)
Please or to participate in this conversation.