[Typo3] Securing attacments in chc_forum

[Zach Davis]

Steve Webster wrote:
> Hi Y'all,
> 
> I have a question.  I'm using chc_forum and have some forums that are only accessible to a subset of web-site/forum users.  Within this secure Forum I allow forum users to upload attachments.
> 
> My question is this.  When you attach a file to a forum posting the attachment is uploaded to ./uploads/tx_chcforum/.  Therefore, based on the type and name of the upload, it is possible for someone to guess the filename and request the attachment directly even though they would not normally have access to the private forum.
> 
> Is there any way around this.  I'm guessing this would be an enhancement request to the existing chc_forum implementation (Zach?).  A true solution would be to store these attachments outside of the web document root and then provide a PHP call that could retrieve them providing your pass proper credentials.  Another, probably easier, way to implement a less secure solution would be to name the uploaded attachments using some sort of hashing algorithm that would make it suitably hard to guess the name of attachments (although determined hackers could still attempt brute force attacks).
> 
> Cheers,
> 
> Webbo
> 
> PS - Zach - I managed to resolve my issue from a few days ago with quoted text not being displayed correctly - thanks again.

Hi Steve,

Secure downloads would be a good addition to the forum. More advanced 
attachment handling in general would be nice. I just haven't had the 
time lately, and there hasn't been any sponsorship to encourage me to 
make time ;).

I'll add this to my to-do list though -- I can look at Robert Lemke's 
Secure Downloads extension or the VCD Archive extension for a sense of 
how to do this. I doubt it's terribly difficult.

Zach