Digital Downloads Security

[mattzeiler]

Hi, I'm wondering how the security on the downloads folder works? I noticed in cpanel that it shows all the folders in the zencart installation to be 755 mode. This includes the download folder where the digital downloads are installed. However if you type in a link to one of the files in that folder from an internet browser, it won't open (thank god), but how is zencart preventing this, because you can forexample go to a picture in the images folder (that has the same 755 setting) and view it from any browser directly?
Also, should we be setting the download folder to 711? I tried a bunch of different combinations and 755 and 711 are the only ones that work for downloading files on the order page after payment is received, but I'm afraid if I change it to 711 (stops people from "reading" the files, whatever that means) then some features may not work. Should I bother changing to 711 or is the way zencart prevents access to the downloads folder sufficient? (Note: I noticed with 755 direct access through a browser that there is an error page where you login, so I put my admin password in and it still didn't let me see them it gives instead:

"Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request"


So it looks like zencart is doing something with it.
But when 711 was used, I got a typical 403 Forrbiden access message:


"Forbidden

You don't have permission to access /main-site/download/test.zip on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

I just want my site to be safe, but not mess up how it works with the downloading.

[DWells]

The security for the downloads folder is based on the .htaccess file in the folder.

[Merlinpa1969]

There is an article in the wiki that explains how to put folders such as downloads and such ABOVE he root so there is no public_access to them at all

dosnt get much more secure than that

[clydejones]

Here's the article mentioned by merlin:

www.zen-cart.com/tutorials/index.php?article=280

[mattzeiler]

Thanks for the responses, I moved the downloads folder above the public stuff. But I just found what I think may be a major flaw in the digital downloads stuff. I change the expired data to one day and say have 3 downloads possible. The links for the first and second downloads are disabled after they are downloaded which is good. However the link for the last download can be saved by the customer in their browser and be used indefinitely! For example, I want to sell pdfs, so I could have the link expire in a day or two and have 3 downloads one of them doesn't work or something. But on the last download, after the pdf opens in their browser (since the browsers see the pdf files as document to open and not download) then they can copy the address in the address bar and use it over and over again and send it to all their friends! Is there a fix for this?

For example, this link was the last download 2 days ago and was set to expire yesterday (1 day):

http://book-mate.com/main-site/pub/....fjyxc/yeah.pdf

You can see that anyone could still access the file if they had the password.

[mattzeiler]

Nevermind, it's working now. I guess I had to wait 2 full days from the minute the order was placed even though I said 1 on the product attributes. Oh well, that's a relief.

[DrByte]

Pointing you back to the FAQ article mentioned earlier (and the "related articles links" at the bottom of that same FAQ), you'll note that if you're not satisified with how the "Redirect" method works, you could always switch to "Streaming" method instead ... which doesn't link to a physical file (which seems to have bothered you).