Leuchtfeuer / typo3-secure-downloads

Secure your assets and data from unwanted download. Apply TYPO3 access rights to ALL file assets (PDFs, TGZs or JPGs etc. - configurable) - protect them from direct access.
https://www.Leuchtfeuer.com
GNU General Public License v2.0
21 stars 35 forks source link

folderPattern does not allow selection of subfolders by name (feature request, solution included) #6

Closed artus70 closed 6 years ago

artus70 commented 8 years ago

Currently only the specification of absolute folder paths is possible. I'd really like to be able to select subfolders by name, i.e. each folder called "locked" will be treated as secured folder.

This can be reached with a small change in HtmlParser.php:

// This line (118):
// $this->tagPattern = '/["\'](?:' . $this->domainPattern . ')?(\/?(?:' . $this->folderPattern . ')+?.*?(?:(?i)' . $this->fileExtensionPattern . '))["\']/i';
// has to get changed to:
$this->tagPattern   = '/["\'](?:' . $this->domainPattern . ')?(\/?.+(?:' . $this->folderPattern . ')+?.*?(?:(?i)' . $this->fileExtensionPattern . '))["\']/i';

So in the preferences "fileadmin" could be replaced by "locked" to make folders with that name secure.

It could then be used in combination with a corresponding Apache directive to secure those folders in general:

<DirectoryMatch "^/path-to-typo3/fileadmin/.+/locked/">
        Order deny,allow
        deny from all
</DirectoryMatch>
sypets commented 7 years ago

The currently made (and reverted) patch "5e38189" has the problem that

  1. current behaviour is changed and it might not be desired to always include pattern in all subfolders
  2. the rule will also match substrings of directories
  3. the rule will no longer match the subdirs at the top of the path if a domain has been specified (because .+ and not .* is used in the suggestion)

Examples:

new rule in commit: $this->domainPattern . ')?(\/?.+(?:' . $this->folderPattern setting in extension configuration: typo3temp|fileadmin/uploads|intern

would match:

would not match:

Alternatives

It would be great if the desired behaviour could be specified via regular expression, e.g. use typo3temp|fileadmin/uploads|filedmin/intern if you only want exactly those directories included and use something like typo3temp|fileadmin\/uploads|(?:.+\/)*intern\/ if you want to include all subdirectories "intern" at any level.

However this is currently not possible, because: