我构建了一个在线系统,允许用户使用 ColdFusion 下载 PDF 文件。用户必须登录才能下载文件(PDF 和 Microsoft Office 文档)。 (此应用程序仅供我们公司员工使用。)
但是,直到今天我才发现任何可以访问互联网的人都可以查看这些文件。只需在 Google 搜索中输入某些关键字(例如“医疗表格 myCompanyName”),他们就可以使用浏览器查看 PDF 文件。
我怎样才能防止这种情况发生?
更新
这就是我的问题所在。我已经为所有 PDF 文件创建了一个文件夹。每个文件都使用数据库中的 ID 进行调用。如果假设用户想要查看医疗表格,则链接将为: http:// /myApplication.myCompanyName/forms.cfm?Department=Account&filesID=001。
如果用户复制此 url &从系统注销后,他/她将无法查看该文件。(将显示登录页面)
但是,如果没有url,其他互联网用户仍然可以通过在网上搜索来查看pdf文件,并且搜索引擎将提供一个链接,将其定向到文件夹本身,而无需登录。
示例:
Medical Form 的 pdf 文件存储在名为 Document 的文件夹中。当互联网用户搜索医疗表格时,搜索引擎会将其链接到:http://myApplication。 myCompanyName/Document/Medical%20Form.pdf
我们在此文件夹中有大量 PDF 文件,其中大部分都是机密文件,仅供内部查看。在 php 中,我们可以使用 .htaccess 禁用此功能。我想知道冷聚变有没有类似的东西?
I've built an online system that allows users to download PDF files using ColdFusion. Users have to log in before they can download the files (PDF & Microsoft Office documents). (This application is only for our company staff.)
However, only today I found out that anyone with internet access can view the files. With only certain keywords such as 'Medical Form myCompanyName' in a Google search, they can view the PDF files using the browser.
How can I prevent this?
UPDATE
this is what my problem is. i've created a folder for all of the PDFs file. each of the files is called using ID from database. if let's say a user wanted to view Medical Form, the link would be: http://myApplication.myCompanyName/forms.cfm?Department=Account&filesID=001.
if the user copy this url & log out from system, he/she will not be able to view this file.(login page will be displayed)
However, without the url, other internet users sstill can view the pdf files just by search it on the net, and the search engine will gives a link that direct it to the folder itself, without having to login.
Example:
Medical Form's pdf file is stored in a folder named Document. when an internet user search for Medical Form, the search engine will link it to: http://myApplication.myCompanyName/Document/Medical%20Form.pdf
we have lots of PDF files in this folder and most of it are confidential, and for internal view purpose only. in php, we can disable this by using .htaccess. i'd like to know if there's anything like this for coldfusion?
发布评论
评论(4)
使用 cf8 之前的 cfcontent 是一个非常糟糕的主意,因为它在传输之前将整个文件加载到内存中。 CF8 及更高版本实际上将从磁盘进行流式传输,这解决了内存问题。但是,如果您有大文件、用户连接速度慢和/或下载量大,您仍然需要担心线程匮乏。每次使用 cfcontent 进行的下载都会在下载期间占用一个线程。
根据您的 Web 服务器,您也许可以使用 x-sendfile 扩展来绕过此问题。这允许您发送一个带有 Web 根目录之外的文件路径的 http 标头,并让您的 Web 服务器处理发送该文件,从而释放 cf 来执行进一步的工作。
这是 Ben Nadel 撰写的关于在 apache 上使用 mod_xsendfile 的文章,http://www.bennadel.com/blog/2170-Streaming-Secure-Files-Efficiently-With-ColdFusion-And-MOD-XSendFile.htm 这是一个等效的 IIS7 XSendFile 插件https://github.com/stakach/IIS-X-Sendfile-plugin
Using cfcontent, pre cf8, is a really bad idea, as it loads the entire file into memory before transmission. CF8 and later will actually stream from disk, which resolves the memory issue. However if you have large files, users on slow connections, and/or heavy downloads you still have to worry about thread starvation. Each download with cfcontent ties up a thread for the duration of the download.
Depending on your web server you might be able to route around this by using an x-sendfile extension. This allows you to send an http header with the path to a file outside of your web root, and have your web server handle sending the file, freeing up cf to do further work.
Here's an article by Ben Nadel about using mod_xsendfile on apache, http://www.bennadel.com/blog/2170-Streaming-Secure-Files-Efficiently-With-ColdFusion-And-MOD-XSendFile.htm and here's an equivalent IIS7 XSendFile plugin https://github.com/stakach/IIS-X-Sendfile-plugin
您可以查看 CFWheels SendFile() 辅助标记 http://cfwheels.org 的代码片段/docs/1-1/function/sendfile
https://gist.github.com/1528113
You might checkout the snippet of code for CFWheels SendFile() helper tag http://cfwheels.org/docs/1-1/function/sendfile
https://gist.github.com/1528113
您可以通过单行代码发送文件,如下所示:
ColdFusion FTW,对。
请注意,处理大文件(例如,100MB+)可能会导致一些问题,因为文件在发送之前被推送到 RAM。看起来这不再正确,正如 Mike 的回答所解释的那样。如果您想强制下载,另一种选择是使用
x-application等内容类型。UPD
您希望将此代码放入文件(假设为 file.cfm)中并将其用于 PDF 链接。像这样的东西:
file.cfm:
UPD2
添加了
GetDirectoryFromPath(basePath & url.filename) EQ basePath作为对提到的安全问题的简单快速的保护。就我个人而言,我通常使用 ID/数据库方法,尽管这个答案最初旨在作为简单的指导,而不是真正全面的解决方案。
You can send files through the code with single line like this:
ColdFusion FTW, right.
Please note that handling large files (say, 100MB+) may cause some problems, because files being pushed to RAM before sending.Looks like this is not correct any more, as Mike's answer explains.Another option is to use content type like
x-applicationif you want to force download.UPD
You want to put this code into the file (let's say file.cfm) and use it for PDF links. Something like this:
file.cfm:
UPD2
Added
GetDirectoryFromPath(basePath & url.filename) EQ basePathas easy and quick protection from the security issue mentioned.Personally I usually use ID/database approach, though this answer was initially intended as simple guidance, not really compehensive solution.
您需要将 PDF 存储在网络领域之外。
假设您的网络应用程序的基础是
所有 http(网络)请求都从那里提供。
可以是存储所有 PDF 的路径。该路径无法通过 URL 访问,因为您的 Web 服务器不提供该路径。
然后在 www 中
您有类似的内容
,您会进行检查以确保其是适当的用户,如果是,则提供该文档
You need to store your PDF's outside of your web realm.
So lets say the base of your web app is
All http (web) requests are served from there.
could be a path where all PDF's are stored. This path isn't accessible via URL as its not served by your web server.
Then in www
you have something like
Which does your checks to ensure its an appropiate user and if so serves the document