permissions - Reading image from outside public_html with PHP?

Question

this is really stupid, but I been trying dozens of different things and I can't for the life of me work out what I am doing wrong.

I have a cpanel installation, with the usual public_html directory and access to the directory below that (call that directory "USER"). I am testing out some things with images.

I have put an image file above the public_html, into the USER directory.

I have written a test php script which has just a few lines:

if(is_file("../1.jpg")){    
    echo "<img src="../1.jpg" />";
}else{
    echo "not there";
}

The is_file can always find the file. Also tried file_exists and is_readable, these all find the file too.

But even though the script sees the file, I can't work out how to output that file to the browser. Or even if it is possible to do it this way.

I've changed the permissions on the file to all readable.

I've tried putting an absolute path from the root.

I tried using imagejpeg.

None of these things work.

You may wonder why I don't just put the image within public_html, but this script is a test I'm doing coz I need to figure out what is possible when it comes to serving images from other domains / accounts on the same server (it is a dedicated server).

I can understand that maybe it's a permissions thing or something - in which case I don't understand why the script can find the file - well anyway I am probably overlooking something very stupid or basic. So if anyone could point me in the right direction I would appreciate it.

Many thanks

Answer 1

That cannot be done. When you output an img tag, that's simply some text on the server. It's sent to the browser and the browser is what attempts to fetch the file listed in the src="..." portion. That's done via an HTTP request, so if the image is outside of the document root, you cannot by definition fetch the file directly.

If you could simply do src="../../../../picture.jpg" and get an image outside of the document root, you could fetch ANY file on the server, including your config files, your password files, blah blah blah. It'd be a security hole big enough to qualify as insane.

if you want to provide access to a file outside of the document root, you'll have to do it via a script. The simplest method is to have:

image.php:

<?php
header('Content-type: image/jpeg');
readfile('/path/to/picture/outside/doc/root/file.jpg');

and in your html:

<img src="image.php">

There's other nastier options, such as using Apache alias directives to map external directories into "internal" ones, rewriting urls, etc... but that just makes things even more complicated.