in a project we where working on, we wanted to use mod_secure_download to protect a subdirectory and all the files inside.
This means that mod_secure_download cannot use the full relative path after the hexadecimal timestamp, but only X number of path_elements.
The attached patch adds a new option, secdownload.path_elements (defaults to 0, so it uses the full rel_path).
secdownload.secret = "some secret" secdownload.document-root = "/my/storage/root/" secdownload.uri-prefix = "/safe_storage/" secdownload.timeout = 86600 secdownload.path_elements = 2
This would allow the all the following URLs to be valid:
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/ http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/a_file.txt http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/b_file.txt
because the checksum only takes in account `/user_id/module`.
You could also change
secdownload.path_elements to 1 and then the same URLs could be used for all URLs with the same
See comments for patch "freshness" and stability.
secdownload.path-segments = <number>
include only given number of path segments in hash digest calculation
secdownload.hash-querystr = "enable" | "disable"
include the query string in the hash digest calculation
Updated by melo over 11 years ago
I'm using this patch with 1.4.9 still in the test environment.
I want to update it to 1.4.11 before putting this in production.
'_'Note well:'_' after uploading the file, I noticed a cosmetic typo. The configuration option should be
path-elements and not
This will change in a future version of this patch.
Security-wyse, I believe that this patch does not remove more security and control than what it is expected to remove. Please post any problems you find with it.
Updated by gstrauss about 1 year ago
- Description updated (diff)
- Status changed from New to Need Feedback
- Assignee deleted (
Is this feature still desirable?
As noted in #1904, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.
Also available in: Atom