Change file.php to a fixed url for attachements

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Re: Change file.php to a fixed url for attachements

Post by reardenlife » Sun Apr 07, 2019 5:05 pm

oops. The questions weren't directed at me, but since I already wrote the answers and since my situation is the same, here we go:
Lumpy Burgertushie wrote:
Sun Apr 07, 2019 4:30 pm
I am no coder but will that actually change what happens when an attachment is called?
Yes, it will. In one case php is serving the content. In another - the webserver.
Lumpy Burgertushie wrote:
Sun Apr 07, 2019 4:30 pm
also, I wonder why this is such an issue for you. there are many people with very many attachments that do not seem to have this problem of cpu usage.
I just worked on a board that had over 16,000 attachments in the files folder and they did not have these kinds of problems.
Well, it depends how server is configured. Do they use prefork or event apache module? Do they use php as a daemon or as an apache module? How much RAM do they have? (I have only 512MB, for example)

It also depends how phpbb is configured. I think by default they do not display attached images if their dimensions larger than 400x400. (I am displaying all images regardless of their size)

User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Bump

Post by reardenlife » Mon Apr 08, 2019 4:07 am


User avatar
canonknipser
Registered User
Posts: 2087
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Change file.php to a fixed url for attachements

Post by canonknipser » Mon Apr 08, 2019 7:32 am

reardenlife wrote:
Sun Apr 07, 2019 4:21 pm
includes/functions_content.php
...
With your proposed code changes, you break
  • the permission system of attachments: everyone who knows the link can download the attachment, regardless of the given permissions
  • the extra security which is implemented by hiding the physical file names
  • the access of some browsers, because you dismiss the mime type and other parameters which may be useful to proper render image attachments
  • maybe other functions, didn't check the impacts in detail ...
You're the first in many years, since the attachment system was implemented as a mod back in phpBB version 2 about 16 years ago. Since then, I guess some trillion of attachments have been attached and visited in various phpBB-installations.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Re: Change file.php to a fixed url for attachements

Post by reardenlife » Mon Apr 08, 2019 7:42 am

canonknipser wrote:
Mon Apr 08, 2019 7:32 am
reardenlife wrote:
Sun Apr 07, 2019 4:21 pm
includes/functions_content.php
...
With your proposed code changes, you break
Its not a proposed changes. Its a temporal fix to keep my server alive.

As for the changes in general, well, the static content should be served by webserver, not by php. This is FUNDAMENTAL PRINCIPLE. Let the certain pieces of software do what they were designed for. Anything above it is a perversion which leads to the types of problems I experienced.

User avatar
AmigoJack
Registered User
Posts: 5616
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Change file.php to a fixed url for attachements

Post by AmigoJack » Mon Apr 08, 2019 9:20 am

reardenlife wrote:
Mon Apr 08, 2019 7:42 am
static content should be served by webserver, not by php. This is FUNDAMENTAL PRINCIPLE.
That's also why smilies and style/theme files are served as such. You really must think we don't know the concept, as yet you didn't answer how you control access permissions with static content per user session - for smilies such checks aren't needed, but for attachments and avatars.

Why using PHP at all, and not instead static HTML?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Re: Change file.php to a fixed url for attachements

Post by reardenlife » Mon Apr 08, 2019 9:21 am

canonknipser wrote:
Mon Apr 08, 2019 7:32 am
the permission system of attachments: everyone who knows the link can download the attachment, regardless of the given permissions
Such restrictions can be implemented through webserver's basic auth.
https://en.m.wikipedia.org/wiki/Basic_a ... entication

User avatar
AmigoJack
Registered User
Posts: 5616
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Change file.php to a fixed url for attachements

Post by AmigoJack » Mon Apr 08, 2019 9:42 am

No, with that you can neither log out, nor maintain a session, or perform a auto-login. You are overestimating your understanding.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3303
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Change file.php to a fixed url for attachements

Post by thecoalman » Mon Apr 08, 2019 12:55 pm

reardenlife wrote:
Mon Apr 08, 2019 9:21 am
canonknipser wrote:
Mon Apr 08, 2019 7:32 am
the permission system of attachments: everyone who knows the link can download the attachment, regardless of the given permissions
Such restrictions can be implemented through webserver's basic auth.
https://en.m.wikipedia.org/wiki/Basic_a ... entication
The permission system in phpBB only allows the sender and recipient to view a file uploaded in a PM as one example, the admin can't view that file with out of the box install unless they were a recipient or sender. It also prevents the download of files from forums the user does not have permission to download files from.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Re: Change file.php to a fixed url for attachements

Post by reardenlife » Mon Apr 08, 2019 5:07 pm

AmigoJack wrote:
Mon Apr 08, 2019 9:42 am
No, with that you can neither log out, nor maintain a session, or perform a auto-login. You are overestimating your understanding.
Sessions pertains to server-side scripting.
I answered on your question - how the restrictions on who can download what file can be implemented on the level of the webserver.
thecoalman wrote:
Mon Apr 08, 2019 12:55 pm
The permission system in phpBB only allows the sender and recipient to view a file uploaded in a PM as one example, the admin can't view that file with out of the box install unless they were a recipient or sender. It also prevents the download of files from forums the user does not have permission to download files from.
Alright, cool.
So I cannot see the reason why it cannot be implemented through basic authorization.
Suppose one user has a file uploaded on the webserver at a special directory and only he can control the list of users who can get an access to his resource.

Apache, for example supports such list stored in SQL databases: https://httpd.apache.org/docs/2.4/mod/m ... n_dbd.html

User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Re: Change file.php to a fixed url for attachements

Post by reardenlife » Mon Apr 08, 2019 5:23 pm

AmigoJack wrote:
Mon Apr 08, 2019 9:42 am
perform a auto-login.
Wait a second. Why it cannot be done through basic auth? You could use JavaScript on client side to add a header to HTTP request with basic auth credentials. Although webbrowsers usually support it already with "Remember password" checkbox.

User avatar
canonknipser
Registered User
Posts: 2087
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Change file.php to a fixed url for attachements

Post by canonknipser » Mon Apr 08, 2019 5:32 pm

reardenlife wrote:
Mon Apr 08, 2019 5:07 pm
can be implemented on the level of the webserver.
So you need to implement code for every possible webserver - there isn't only apache nowadays
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Re: Change file.php to a fixed url for attachements

Post by reardenlife » Mon Apr 08, 2019 5:35 pm

canonknipser wrote:
Mon Apr 08, 2019 5:32 pm
reardenlife wrote:
Mon Apr 08, 2019 5:07 pm
can be implemented on the level of the webserver.
So you need to implement code for every possible webserver - there isn't only apache nowadays
Correct.
I would've done it for the most popular ones - Apache and NGINX.

But it's just an implementation - the good news is that standarts and protocols are already developed, well described and implemented in some cases.

edit:
Basic auth for nginx already implemented: https://github.com/wosc/nginx-db-auth

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 17059
Joined: Thu Jan 06, 2005 1:30 pm
Location: Fishkill, NY
Name: David Colón
Contact:

Re: Change file.php to a fixed url for attachements

Post by DavidIQ » Mon Apr 08, 2019 5:52 pm

It sounds like you have yourself a little side project for your own use. ;) We however have to support more than just nginx and Apache. What you just provided a link to does not provide a solution to how one limits access to a file based on forum access levels (which forum a file is posted in matters), area it was uploaded in (PM or a forum), nor provides any meaningful protection against code execution by uploaded files, all things that file.php handles. About the only thing it might be able to handle is allowing guest access to files or not.

It's easy to dismiss vital functionality such as what file.php does when it is not fully understood so I think you need to better understand the complex permissions system before you can actually come up with a possible solution that works for everyone, perhaps even some changing of code or even URL rewriting for this to be handled differently by the server would be sufficient.
Apply to become a Jr. Extension Validator
My extensions | In need of phpBB services? | Was I helpful today?
No unsolicited PMs unless you're planning on asking for paid help.

User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Re: Change file.php to a fixed url for attachements

Post by reardenlife » Mon Apr 08, 2019 6:03 pm

DavidIQ wrote:
Mon Apr 08, 2019 5:52 pm
It's easy to dismiss vital functionality such as what file.php does when it is not fully understood so I think you need to better understand the complex permissions system before you can actually come up with a possible solution that works for everyone, perhaps even some changing of code or even URL rewriting for this to be handled differently by the server would be sufficient.
That's exactly my point.

One have to decide what he is going to do - do the things as they supposed to be done, by delegating certain tasks to the appropriate pieces of software. Or do the things in a more complex way, implementing his own AC system (which is not up to RFC standarts, and very little people know about) which prevents the usage of phpbb on the high-load resources, due to CPU and RAM clogging.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 17059
Joined: Thu Jan 06, 2005 1:30 pm
Location: Fishkill, NY
Name: David Colón
Contact:

Re: Change file.php to a fixed url for attachements

Post by DavidIQ » Mon Apr 08, 2019 6:14 pm

reardenlife wrote:
Mon Apr 08, 2019 6:03 pm
That's exactly my point.
You point is that you don't understand whatsoever the permissions system? Because that's abundantly clear here with your continued insistence that somehow the file access control that is needed can be provided by some htaccess or server side changes.
Apply to become a Jr. Extension Validator
My extensions | In need of phpBB services? | Was I helpful today?
No unsolicited PMs unless you're planning on asking for paid help.

Locked

Return to “phpBB Discussion”