Protecting templates in a CMS-like application

[nayen]

Hi,

I am building a web application (PHP) that allows users to create websites choosing some pre-designed templates. The admin area is password protected. Let's say the templates are located in the "templates" folder within the application. A couple of scripts in the application are accessing those template files to make modifications. I was wondering how I could protect that templates folder and all the files in it so that they can't be accessed outside the application (No .htaccess).

Thanks for any ideas.

[cpradio]

Store them outside of a web accessible directory and use an absolute path for accessing them

[nayen]

Store them outside of a web accessible directory and use an absolute path for accessing them

Thanks for your suggestion but this is not a personal application, it will be distributed. I have been checking WordPress to get some clues because it also has templates. For example, on a WordPress site, when I try to directly access any of the files in the following folder, it gives a Server Error.

Code:

http://www.website.com/wp-content/themes/twentyeleven/

Is that done by .htaccess?

[Serenarules]

I'm not great with server configuration, but putting a .htaccess file in that folder with the single following line, should work. You'll be able to include them into your scripts without problem. The folder just won't be directly browsable. If this doesn't work, double check with somebody in our Server Configuration forum.

deny from all

[nayen]

I'm not great with server configuration, but putting a .htaccess file in that folder with the single following line, should work. You'll be able to include them into your scripts without problem. The folder just won't be directly browsable. If this doesn't work, double check with somebody in our Server Configuration forum.

deny from all

Thanks for the suggestion. I know how to protect it via htaccess, I am looking for a solution without .htaccess if possible.

[Lemon Juice]

If you don't want .htaccess then some good security through obscurity should suffice in this case. Put all templates in a folder with a long random impossible to guess name, for example "/templates_JlABWSFW1HlbghZ57GFo". Store the folder name in some configuration or constant in your application and use it whenever your scripts need to access the files. But make sure that no one - even in the admin area - ever sees the real path to the templates so don't send the folder name to the browser. If you need someone to access a template file in the browser then let them do it through a proxy php script that will authenticate the user and serve the file from the secret folder. Also, suppress any php warnings for the functions you will be using to access the secret folder because if an error occurs (for example in file_get_contents('/templates_JlABWSFW1HlbghZ57GFo/...') or fopen('/templates_JlABWSFW1HlbghZ57GFo/...'), copy(), etc. ) then php may throw a warning outputting the file path to the browser.

This should be enough for most use cases. You may rename the secret folder periodically.

As additional security you can also append some random string to each file name you store in the secret folder.

[Lemon Juice]

Oh, and I have yet another solution: store all your templates in files with .php extension and let each file begin with this line:

PHP Code:

<?php exit; ?>

Then make your application ignore the first line. If someone guesses the file name they will not be able to access it.

Or better yet:

PHP Code:

<?php header("HTTP/1.0 404 Not Found"); exit; ?>

[nayen]

Oh, and I have yet another solution: store all your templates in files with .php extension and let each file begin with this line:

PHP Code:

<?php exit; ?>

Then make your application ignore the first line. If someone guesses the file name they will not be able to access it.

Or better yet:

PHP Code:

<?php header("HTTP/1.0 404 Not Found"); exit; ?>

Thanks for the previous suggestion and this one. Actually, I was inclined to the latter solution but I wasn't sure if I wanted to do that. Is there a shortcut to ignore the first line in a PHP file or do I have to get the file content and filter the first line out?

[Lemon Juice]

Is there a shortcut to ignore the first line in a PHP file or do I have to get the file content and filter the first line out?

None that I know of. Just use fgets() followed by fread().