Home/ Questions/Q 8564549
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T17:13:31+00:00

My PHP application has a file controller. Every file download by an authenticated user

  • 0

My PHP application has a file controller. Every file download by an authenticated user should pass through the file controller first.

As a parameter, I’m using the file inode so it can locate the file correctly inside the disk and it can be passed safely through the URL (since it’s only numbers — I don’t have to worry about UTF-8 file names and such in here).

The files are being read from the filesystem, not a database, so the data is as live as possible.

Giving out the inodes of my filesystem is a security threat? Locating files via inodes is a bad practice?

On permission check:

I’m using Codeigniter as a framework. By extending the core controller class and the _remap() method, I’m able to check if the person accessing the file controller is logged in, for every controller call.

If it is (and the role has permissions), then allow the download. If it’s not, then redirect to login.

On same inodes:

I’m not doing a full filesystem scan. I’m listing a directory within the filesystem, divided by uploaders then by operation id (so basically, each folder would have like 10 files, tops, depending on the parameters). The structure is basically:

module/module_id/user_id/files

I’m guessing that there cannot two files with the same inode in the same folder, and if there’s another file in another filesystem (or in the same, I’m not clear if that’s possible), then it’s not in the same folder, ergo, innaccesible with that parameter chain.

For example (supposing we’re wanting to get a file with inode #5243376):

module/1/3/5243376

If there’s another file with inode 5243376, the file must be inside the folders module/1/3/ so it can be downloaded.

I don’t see any other way of getting the same (or another file), because the controller hanldes that.

The code for the hanlder is simple:

// match inode
$dir    = FCPATH . 'files/' . $type . '/' . $id . '/'. $user . '/';
$files  = scandir($dir);

foreach($files as $file) {
    $stat = stat($dir . $file);
    if ($inode == $stat['ino']) {
        $filename = $file;
    }
}

// this need better feedback lol
if (!isset($filename)) {
    die('Not existing');
}

// fullpath to file to be downloaded
$file = FCPATH . 'files/' . $type . '/' . $id . '/'. $user . '/' . $filename;
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There’s nothing really wrong with it. Basic filesystem security still applies even if you’re dealing with inodes only. But you should realize that inodes may not be unique within the OS. They’re only unique within a particular filesystem. If your host system has multiple mounted FSs within your web root, moving a file to a different dir may in fact become a copy+del operation if the move crosses a filesystem boundary. Now your inode is no longer valid, because a new inode was created in the new location.

    • 0