How to secure open journal system original submission files

remo asked:

I have installed ojs in my own server. In the installation process, it is required to create a folder that is writable by php (apache = www-data), but not accessible from the browser. The folder is used to save uploaded manuscripts, that must not be viewable for the public, but must be readable by the software itself. I changed httpd.conf file to deny listing of the files in the folder, but the problem does not seem to be completely solved. In fact, although the file names are random, if a malicious or curious user has the exact file name of the original manuscript, she/he can download the file. Please note that there are numerous such manuscripts now in my server (ubuntu 12.04.4). Is there any way I can deny them from downloading (at least for unauthorized users not registered as editor)?

My answer:


The README told you what to do. The relevant parts:

    * Install OJS so that the files directory is NOT a subdirectory of
      the OJS installation and cannot be accessed directly via the web
      server. 

    3. Create a directory to store uploaded files (submission files, etc.)
       and make this directory writeable. It is recommended that this
       directory be placed in a non-web-accessible location (or otherwise
       protected from direct access, such as via .htaccess rules).

This means the files directory you use for uploads should not be under the DocumentRoot. Of course you have to specify its location in config.inc.php if you already completed the installation.

[files]

; Complete path to directory to store uploaded files
; (This directory should not be directly web-accessible)
; Windows users should use forward slashes
files_dir = files

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.