Serving embedded video files with X-Accel-Redirect to IE 6 browser
mike
mike503 at gmail.com
Thu Apr 17 02:24:30 MSD 2008
or basename() it and then force a specific parent path.
or just use an integer ID if it's in the db to check if the file is valid, etc.
On 4/16/08, Cliff Wells <cliff at develix.com> wrote:
>
> On Wed, 2008-04-16 at 17:55 +0200, Thomas wrote:
> > Actually there is nothing fancy in Nginx conf files, simply declare
> > the folder that holds the protected content as "internal" so users
> > can't directly access it:
> >
> > location /files {
> > root /var/www/myapp/files;
> > internal;
> > }
> >
> >
> > The real magic happens in your app:
> >
> > <?php
> > $path = $_GET["path"];
> > header("Content-Type: video/quicktime");
> > header("X-Accel-Redirect: /files/" . $path);
> > ?>
>
> It probably doesn't matter much for this particular example (since the
> request will be punted to Nginx which will presumably forbid access
> outside "root"), but in general you should sanitize anything to be used
> as part of a filesystem path:
>
> $path = realpath($_GET["path"]);
>
> This is to prevent requests like:
>
> "http://mysite.com/downloads.php?path=../../../../etc/passwd".
>
>
> Regards,
> Cliff
>
>
>
>
More information about the nginx
mailing list