Feature #646

secdownload.path_elements support

Added by melo over 14 years ago. Updated over 3 years ago.

Target version:



in a project we where working on, we wanted to use mod_secure_download to protect a subdirectory and all the files inside.

This means that mod_secure_download cannot use the full relative path after the hexadecimal timestamp, but only X number of path_elements.

The attached patch adds a new option, secdownload.path_elements (defaults to 0, so it uses the full rel_path).

An example:

  secdownload.secret        = "some secret" 
  secdownload.document-root = "/my/storage/root/" 
  secdownload.uri-prefix    = "/safe_storage/" 
  secdownload.timeout       = 86600
  secdownload.path_elements = 2

This would allow the all the following URLs to be valid:

because the checksum only takes in account `/user_id/module`.

You could also change secdownload.path_elements to 1 and then the same URLs could be used for all URLs with the same user_id.

See comments for patch "freshness" and stability.


path-elements.diff (3.03 KB) path-elements.diff path_elements diff with version 1.4.9 melo, 2006-05-16 01:19
path-elements-1.4.9.diff (2.93 KB) path-elements-1.4.9.diff diff against 1.4.9: path-elements is used instead of path_elements melo, 2006-05-16 01:25

Related issues

Related to Feature #1904: mod_secdownload option to include url GET parameters in md5Fixed2009-02-17Actions

Updated by melo over 14 years ago

I'm using this patch with 1.4.9 still in the test environment.

I want to update it to 1.4.11 before putting this in production.

'_'Note well:'_' after uploading the file, I noticed a cosmetic typo. The configuration option should be path-elements and not path_elements.

This will change in a future version of this patch.

Security-wyse, I believe that this patch does not remove more security and control than what it is expected to remove. Please post any problems you find with it.



Updated by melo over 14 years ago


fixed cosmetic bug: secdownload.path_elements was renamed to secdownload.path-elements to be more consistent with other options.

Still using this on a test environment.


Updated by gstrauss almost 4 years ago

  • Related to Feature #1904: mod_secdownload option to include url GET parameters in md5 added

Updated by gstrauss almost 4 years ago

  • Description updated (diff)
  • Status changed from New to Need Feedback
  • Assignee deleted (jan)

Is this feature still desirable?

As noted in #1904, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.


Updated by gstrauss almost 4 years ago

  • Status changed from Need Feedback to Patch Pending
  • Target version set to 1.4.45

Updated by melo almost 4 years ago


although we still use this patch in production, we are actually phasing it out at this moment to use a mechanism like what you describe, an authoriser.

I don't plan on using it anymore, so from my point of view, this ticket can be closed.



Updated by gstrauss over 3 years ago

  • Target version changed from 1.4.45 to 1.4.46

Updated by gstrauss over 3 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom