Ticket #646 (new enhancement)

Opened 2 years ago

Last modified 2 months ago

secdownload.path_elements support

Reported by: melo Assigned to: jan
Priority: low Milestone:
Component: mod_secdownload Version: 1.4.9
Severity: minor Keywords: patch
Cc: Blocking:
Need Feedback: 0

Description

Hi,

in a project we where working on, we wanted to use mod_secure_download to protect a subdirectory and all the files inside.

This means that mod_secure_download cannot use the full relative path after the hexadecimal timestamp, but only X number of path_elements.

The attached patch adds a new option, secdownload.path_elements (defaults to 0, so it uses the full rel_path).

An example: 

  secdownload.secret        = "some secret"
  secdownload.document-root = "/my/storage/root/"
  secdownload.uri-prefix    = "/safe_storage/"
  secdownload.timeout       = 86600
  secdownload.path_elements = 2

This would allow the all the following URLs to be valid: 

http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/a_file.txt
http://my.site/safe_storage/dcfa11fde1588d7b389229ec48a336ce/446921b1/user_id/module/b_file.txt

because the checksum only takes in account /user_id/module.

You could also change secdownload.path_elements to 1 and then the same URLs could be used for all URLs with the same user_id.

See comments for patch "freshness" and stability.

Attachments

path-elements.diff (3.0 kB) - added by melo on 05/16/2006 01:19:36 AM.
path_elements diff with version 1.4.9
path-elements-1.4.9.diff (2.9 kB) - added by melo on 05/16/2006 01:25:24 AM.
diff against 1.4.9: path-elements is used instead of path_elements

Change History

05/16/2006 01:19:36 AM changed by melo

  • attachment path-elements.diff added.

path_elements diff with version 1.4.9

05/16/2006 01:23:06 AM changed by melo

I'm using this patch with 1.4.9 still in the test environment.

I want to update it to 1.4.11 before putting this in production.

Note well: after uploading the file, I noticed a cosmetic typo. The configuration option should be path-elements and not path_elements.

This will change in a future version of this patch.

Security-wyse, I believe that this patch does not remove more security and control than what it is expected to remove. Please post any problems you find with it.

Thanks,

05/16/2006 01:25:24 AM changed by melo

  • attachment path-elements-1.4.9.diff added.

diff against 1.4.9: path-elements is used instead of path_elements

05/16/2006 01:26:54 AM changed by melo

Hi,

fixed cosmetic bug: secdownload.path_elements was renamed to secdownload.path-elements to be more consistent with other options.

Still using this on a test environment.

04/24/2008 07:36:52 PM changed by stbuehler

  • type changed from defect to enhancement.
  • blocking changed.
  • pending changed.

Add/Change #646 (secdownload.path_elements support)




Change Properties