Project

General

Profile

Actions

Feature #646

closed

secdownload.path_elements support

Added by melo over 18 years ago. Updated almost 8 years ago.

Status:
Fixed
Priority:
Low
Category:
mod_secdownload
Target version:
ASK QUESTIONS IN Forums:

Description

Hi,

in a project we where working on, we wanted to use mod_secure_download to protect a subdirectory and all the files inside.

This means that mod_secure_download cannot use the full relative path after the hexadecimal timestamp, but only X number of path_elements.

The attached patch adds a new option, secdownload.path_elements (defaults to 0, so it uses the full rel_path).

An example:


  secdownload.secret        = "some secret" 
  secdownload.document-root = "/my/storage/root/" 
  secdownload.uri-prefix    = "/safe_storage/" 
  secdownload.timeout       = 86600
  secdownload.path_elements = 2

This would allow the all the following URLs to be valid:


http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/a_file.txt
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/b_file.txt

because the checksum only takes in account `/user_id/module`.

You could also change secdownload.path_elements to 1 and then the same URLs could be used for all URLs with the same user_id.

See comments for patch "freshness" and stability.


Files

path-elements.diff (3.03 KB) path-elements.diff path_elements diff with version 1.4.9 melo, 2006-05-16 01:19
path-elements-1.4.9.diff (2.93 KB) path-elements-1.4.9.diff diff against 1.4.9: path-elements is used instead of path_elements melo, 2006-05-16 01:25

Related issues 1 (0 open1 closed)

Related to Feature #1904: mod_secdownload option to include url GET parameters in md5Fixed2009-02-17Actions
Actions #1

Updated by melo over 18 years ago

I'm using this patch with 1.4.9 still in the test environment.

I want to update it to 1.4.11 before putting this in production.

'_'Note well:'_' after uploading the file, I noticed a cosmetic typo. The configuration option should be path-elements and not path_elements.

This will change in a future version of this patch.

Security-wyse, I believe that this patch does not remove more security and control than what it is expected to remove. Please post any problems you find with it.

Thanks,

Actions #2

Updated by melo over 18 years ago

Hi,

fixed cosmetic bug: secdownload.path_elements was renamed to secdownload.path-elements to be more consistent with other options.

Still using this on a test environment.

Actions #3

Updated by gstrauss about 8 years ago

  • Related to Feature #1904: mod_secdownload option to include url GET parameters in md5 added
Actions #4

Updated by gstrauss about 8 years ago

  • Description updated (diff)
  • Status changed from New to Need Feedback
  • Assignee deleted (jan)

Is this feature still desirable?

As noted in #1904, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.

Actions #5

Updated by gstrauss almost 8 years ago

  • Status changed from Need Feedback to Patch Pending
  • Target version set to 1.4.45
Actions #6

Updated by melo almost 8 years ago

Hello,

although we still use this patch in production, we are actually phasing it out at this moment to use a mechanism like what you describe, an authoriser.

I don't plan on using it anymore, so from my point of view, this ticket can be closed.

Thanks,

Actions #7

Updated by gstrauss almost 8 years ago

  • Target version changed from 1.4.45 to 1.4.46
Actions #8

Updated by gstrauss almost 8 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom