Feature #646

secdownload.path_elements support

Added by melo over 11 years ago. Updated 7 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:



in a project we where working on, we wanted to use mod_secure_download to protect a subdirectory and all the files inside.

This means that mod_secure_download cannot use the full relative path after the hexadecimal timestamp, but only X number of path_elements.

The attached patch adds a new option, secdownload.path_elements (defaults to 0, so it uses the full rel_path).

An example:

  secdownload.secret        = "some secret" 
  secdownload.document-root = "/my/storage/root/" 
  secdownload.uri-prefix    = "/safe_storage/" 
  secdownload.timeout       = 86600
  secdownload.path_elements = 2

This would allow the all the following URLs to be valid:

because the checksum only takes in account `/user_id/module`.

You could also change secdownload.path_elements to 1 and then the same URLs could be used for all URLs with the same user_id.

See comments for patch "freshness" and stability.

path-elements.diff (3.03 KB) path-elements.diff path_elements diff with version 1.4.9 melo, 2006-05-16 01:19
path-elements-1.4.9.diff (2.93 KB) path-elements-1.4.9.diff diff against 1.4.9: path-elements is used instead of path_elements melo, 2006-05-16 01:25

Related issues

Related to Feature #1904: mod_secdownload option to include url GET parameters in md5Fixed2009-02-17

Associated revisions

Revision afce434e (diff)
Added by gstrauss 8 months ago

[mod_secdownload] new directives modify hash path (fixes #646, fixes #1904)

secdownload.path-segments = <number>
include only given number of path segments in hash digest calculation

secdownload.hash-querystr = "enable" | "disable"
include the query string in the hash digest calculation

"secdownload.path_elements support"
"mod_secdownload option to include url GET parameters in md5"


#1 Updated by melo over 11 years ago

I'm using this patch with 1.4.9 still in the test environment.

I want to update it to 1.4.11 before putting this in production.

'_'Note well:'_' after uploading the file, I noticed a cosmetic typo. The configuration option should be path-elements and not path_elements.

This will change in a future version of this patch.

Security-wyse, I believe that this patch does not remove more security and control than what it is expected to remove. Please post any problems you find with it.


#2 Updated by melo over 11 years ago


fixed cosmetic bug: secdownload.path_elements was renamed to secdownload.path-elements to be more consistent with other options.

Still using this on a test environment.

#3 Updated by gstrauss 9 months ago

  • Related to Feature #1904: mod_secdownload option to include url GET parameters in md5 added

#4 Updated by gstrauss 9 months ago

  • Description updated (diff)
  • Status changed from New to Need Feedback
  • Assignee deleted (jan)

Is this feature still desirable?

As noted in #1904, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.

#5 Updated by gstrauss 9 months ago

  • Status changed from Need Feedback to Patch Pending
  • Target version set to 1.4.45

#6 Updated by melo 9 months ago


although we still use this patch in production, we are actually phasing it out at this moment to use a mechanism like what you describe, an authoriser.

I don't plan on using it anymore, so from my point of view, this ticket can be closed.


#7 Updated by gstrauss 8 months ago

  • Target version changed from 1.4.45 to 1.4.46

#8 Updated by gstrauss 7 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom