Feature #646
closedsecdownload.path_elements support
Description
Hi,
in a project we where working on, we wanted to use mod_secure_download to protect a subdirectory and all the files inside.
This means that mod_secure_download cannot use the full relative path after the hexadecimal timestamp, but only X number of path_elements.
The attached patch adds a new option, secdownload.path_elements (defaults to 0, so it uses the full rel_path).
An example:
secdownload.secret = "some secret" secdownload.document-root = "/my/storage/root/" secdownload.uri-prefix = "/safe_storage/" secdownload.timeout = 86600 secdownload.path_elements = 2
This would allow the all the following URLs to be valid:
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/ http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/a_file.txt http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/b_file.txt
because the checksum only takes in account `/user_id/module`.
You could also change secdownload.path_elements to 1 and then the same URLs could be used for all URLs with the same user_id.
See comments for patch "freshness" and stability.
Files
Updated by melo almost 18 years ago
I'm using this patch with 1.4.9 still in the test environment.
I want to update it to 1.4.11 before putting this in production.
'_'Note well:'_' after uploading the file, I noticed a cosmetic typo. The configuration option should be path-elements and not path_elements.
This will change in a future version of this patch.
Security-wyse, I believe that this patch does not remove more security and control than what it is expected to remove. Please post any problems you find with it.
Thanks,
Updated by melo almost 18 years ago
Hi,
fixed cosmetic bug: secdownload.path_elements was renamed to secdownload.path-elements to be more consistent with other options.
Still using this on a test environment.
Updated by gstrauss over 7 years ago
- Related to Feature #1904: mod_secdownload option to include url GET parameters in md5 added
Updated by gstrauss over 7 years ago
- Description updated (diff)
- Status changed from New to Need Feedback
- Assignee deleted (
jan)
Is this feature still desirable?
As noted in #1904, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.
Updated by gstrauss over 7 years ago
- Status changed from Need Feedback to Patch Pending
- Target version set to 1.4.45
Updated by melo over 7 years ago
Hello,
although we still use this patch in production, we are actually phasing it out at this moment to use a mechanism like what you describe, an authoriser.
I don't plan on using it anymore, so from my point of view, this ticket can be closed.
Thanks,
Updated by gstrauss over 7 years ago
- Target version changed from 1.4.45 to 1.4.46
Updated by gstrauss about 7 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset afce434e0b0ee517fef06cf32d3f9de25ceddc14.
Also available in: Atom