Project

General

Profile

Feature #646

secdownload.path_elements support

Added by melo over 11 years ago. Updated 9 months ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
mod_secdownload
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

Hi,

in a project we where working on, we wanted to use mod_secure_download to protect a subdirectory and all the files inside.

This means that mod_secure_download cannot use the full relative path after the hexadecimal timestamp, but only X number of path_elements.

The attached patch adds a new option, secdownload.path_elements (defaults to 0, so it uses the full rel_path).

An example:


  secdownload.secret        = "some secret" 
  secdownload.document-root = "/my/storage/root/" 
  secdownload.uri-prefix    = "/safe_storage/" 
  secdownload.timeout       = 86600
  secdownload.path_elements = 2

This would allow the all the following URLs to be valid:


http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/a_file.txt
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/b_file.txt

because the checksum only takes in account `/user_id/module`.

You could also change secdownload.path_elements to 1 and then the same URLs could be used for all URLs with the same user_id.

See comments for patch "freshness" and stability.

path-elements.diff (3.03 KB) path-elements.diff path_elements diff with version 1.4.9 melo, 2006-05-16 01:19
path-elements-1.4.9.diff (2.93 KB) path-elements-1.4.9.diff diff against 1.4.9: path-elements is used instead of path_elements melo, 2006-05-16 01:25

Related issues

Related to Feature #1904: mod_secdownload option to include url GET parameters in md5Fixed2009-02-17

Associated revisions

Revision afce434e (diff)
Added by gstrauss 10 months ago

[mod_secdownload] new directives modify hash path (fixes #646, fixes #1904)

secdownload.path-segments = <number>
include only given number of path segments in hash digest calculation

secdownload.hash-querystr = "enable" | "disable"
include the query string in the hash digest calculation

x-ref:
"secdownload.path_elements support"
https://redmine.lighttpd.net/issues/646
"mod_secdownload option to include url GET parameters in md5"
https://redmine.lighttpd.net/issues/1904

History

#1

Updated by melo over 11 years ago

I'm using this patch with 1.4.9 still in the test environment.

I want to update it to 1.4.11 before putting this in production.

'_'Note well:'_' after uploading the file, I noticed a cosmetic typo. The configuration option should be path-elements and not path_elements.

This will change in a future version of this patch.

Security-wyse, I believe that this patch does not remove more security and control than what it is expected to remove. Please post any problems you find with it.

Thanks,

#2

Updated by melo over 11 years ago

Hi,

fixed cosmetic bug: secdownload.path_elements was renamed to secdownload.path-elements to be more consistent with other options.

Still using this on a test environment.

#3

Updated by gstrauss 11 months ago

  • Related to Feature #1904: mod_secdownload option to include url GET parameters in md5 added
#4

Updated by gstrauss 11 months ago

  • Description updated (diff)
  • Status changed from New to Need Feedback
  • Assignee deleted (jan)

Is this feature still desirable?

As noted in #1904, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.

#5

Updated by gstrauss 11 months ago

  • Status changed from Need Feedback to Patch Pending
  • Target version set to 1.4.45
#6

Updated by melo 11 months ago

Hello,

although we still use this patch in production, we are actually phasing it out at this moment to use a mechanism like what you describe, an authoriser.

I don't plan on using it anymore, so from my point of view, this ticket can be closed.

Thanks,

#7

Updated by gstrauss 10 months ago

  • Target version changed from 1.4.45 to 1.4.46
#8

Updated by gstrauss 9 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom