apache_secure_download 0.0.7.230 → 0.0.9
Sign up to get free protection for your applications and to get access to all the features.
- data/ChangeLog +9 -0
- data/README +12 -3
- data/lib/apache/secure_download/util.rb +46 -19
- data/lib/apache/secure_download/version.rb +1 -1
- data/lib/apache/secure_download.rb +12 -12
- metadata +27 -13
data/ChangeLog
CHANGED
@@ -1,5 +1,14 @@
|
|
1
1
|
= Revision history for apache_secure_download
|
2
2
|
|
3
|
+
== 0.0.9 [2010-06-23]
|
4
|
+
|
5
|
+
* Remove timestamp and token from query args
|
6
|
+
|
7
|
+
== 0.0.8 [2008-09-17]
|
8
|
+
|
9
|
+
* Some (minor) refactoring
|
10
|
+
* Account for URI fragment in Apache::SecureDownload::Util.secure_url
|
11
|
+
|
3
12
|
== 0.0.7 [2008-03-31]
|
4
13
|
|
5
14
|
* Fixed that token wouldn't respect query string when it should
|
data/README
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
== VERSION
|
4
4
|
|
5
|
-
This documentation refers to apache_secure_download version 0.0.
|
5
|
+
This documentation refers to apache_secure_download version 0.0.9
|
6
6
|
|
7
7
|
|
8
8
|
== DESCRIPTION
|
@@ -45,6 +45,15 @@ And create links to your resources with timestamp and token:
|
|
45
45
|
See Apache::SecureDownload::Util.secure_url for more examples.
|
46
46
|
|
47
47
|
|
48
|
+
== LINKS
|
49
|
+
|
50
|
+
<b></b>
|
51
|
+
Documentation:: <http://prometheus.rubyforge.org/apache_secure_download>
|
52
|
+
Source code (old):: <http://prometheus.rubyforge.org/svn/scratch/apache_secure_download>
|
53
|
+
Source code:: <http://github.com/blackwinter/apache_secure_download>
|
54
|
+
Rubyforge project:: <http://rubyforge.org/projects/prometheus>
|
55
|
+
|
56
|
+
|
48
57
|
== AUTHORS
|
49
58
|
|
50
59
|
* Jens Wille <mailto:jens.wille@uni-koeln.de>
|
@@ -52,8 +61,8 @@ See Apache::SecureDownload::Util.secure_url for more examples.
|
|
52
61
|
|
53
62
|
== LICENSE AND COPYRIGHT
|
54
63
|
|
55
|
-
Copyright (C) 2008 University of Cologne,
|
56
|
-
Albertus-Magnus-Platz,
|
64
|
+
Copyright (C) 2008-2010 University of Cologne,
|
65
|
+
Albertus-Magnus-Platz, 50923 Cologne, Germany
|
57
66
|
|
58
67
|
apache_secure_download is free software: you can redistribute it and/or modify
|
59
68
|
it under the terms of the GNU General Public License as published by the Free
|
@@ -3,9 +3,9 @@
|
|
3
3
|
# #
|
4
4
|
# A component of apache_secure_download. #
|
5
5
|
# #
|
6
|
-
# Copyright (C) 2008 University of Cologne,
|
7
|
-
#
|
8
|
-
#
|
6
|
+
# Copyright (C) 2008-2010 University of Cologne, #
|
7
|
+
# Albertus-Magnus-Platz, #
|
8
|
+
# 50923 Cologne, Germany #
|
9
9
|
# #
|
10
10
|
# Authors: #
|
11
11
|
# Jens Wille <jens.wille@uni-koeln.de> #
|
@@ -37,15 +37,6 @@ module Apache
|
|
37
37
|
|
38
38
|
extend self
|
39
39
|
|
40
|
-
QUERY_RE = %r{([?&])timestamp=.*?&token=.*?(&|\z)}o
|
41
|
-
|
42
|
-
# Computes the token from +secret+, +path+, and +timestamp+.
|
43
|
-
def token(secret, path, timestamp)
|
44
|
-
Digest::SHA1.hexdigest(
|
45
|
-
secret + path.sub(QUERY_RE) { $1 unless $2.empty? } + timestamp.to_s
|
46
|
-
)
|
47
|
-
end
|
48
|
-
|
49
40
|
# Creates a valid URL to the secured resource, identified by +url+. The
|
50
41
|
# argument +secret+ is the shared secret string that has been passed to
|
51
42
|
# the relevant RubyAccessHandler instance (cf. SecureDownload.new).
|
@@ -90,21 +81,57 @@ module Apache
|
|
90
81
|
# # 30 seconds later...
|
91
82
|
# secure_url(s, "/secure/url", :offset => 60) #=> "/secure/url?timestamp=1204024740&token=c7dcea5679ad539a7bad1dc4b7f44eb3dd36d6e8"
|
92
83
|
def secure_url(secret, url, expires = Time.now + 60)
|
93
|
-
path, _, query = URI.split(url)[5..7]
|
94
|
-
path << '?' << query if query
|
95
|
-
|
96
84
|
if expires.is_a?(Hash)
|
97
|
-
|
85
|
+
expires[:offset] ||= 60
|
86
|
+
cache = expires[:cache] || expires[:offset]
|
87
|
+
|
88
|
+
timestamp = (expires[:expires] || Time.now + expires[:offset]).to_i
|
98
89
|
|
99
|
-
unless
|
100
|
-
#
|
90
|
+
unless cache == false || cache.zero?
|
91
|
+
# make the URL cacheable for +cache+ seconds *on average*
|
101
92
|
timestamp = ((timestamp / cache.to_f).round + 1) * cache.to_i
|
102
93
|
end
|
103
94
|
else
|
104
95
|
timestamp = expires.to_i
|
105
96
|
end
|
106
97
|
|
107
|
-
|
98
|
+
path, query = URI.split(url).values_at(5, 7)
|
99
|
+
path << '?' << query if query
|
100
|
+
|
101
|
+
params = "timestamp=#{timestamp}&token=#{token(secret, path, timestamp)}"
|
102
|
+
|
103
|
+
url.sub(/#|\z/, "#{query ? '&' : '?'}#{params}\\&")
|
104
|
+
end
|
105
|
+
|
106
|
+
# Computes the token from +secret+, +path+, and +timestamp+.
|
107
|
+
def token(secret, path, timestamp)
|
108
|
+
Digest::SHA1.hexdigest("#{secret}#{real_path(path)}#{timestamp}")
|
109
|
+
end
|
110
|
+
|
111
|
+
# Returns +path+ with timestamp and token parameters removed.
|
112
|
+
def real_path(path)
|
113
|
+
clean(path, :path)
|
114
|
+
end
|
115
|
+
|
116
|
+
# Returns +query+ with timestamp and token parameters removed.
|
117
|
+
def real_query(query)
|
118
|
+
clean(query, :query)
|
119
|
+
end
|
120
|
+
|
121
|
+
private
|
122
|
+
|
123
|
+
# Returns +string+ with timestamp and token parameters removed.
|
124
|
+
# The +type+ indicates whether it's a _path_ or a _query_.
|
125
|
+
def clean(string, type)
|
126
|
+
char = case type
|
127
|
+
when :path then '\?'
|
128
|
+
when :query then '\A'
|
129
|
+
else raise ArgumentError, "type #{type.inspect} not supported"
|
130
|
+
end
|
131
|
+
|
132
|
+
%w[timestamp token].inject(string) { |memo, key|
|
133
|
+
memo.sub(/(#{char}|&)#{key}=[^&]*(&?)/) { $1 unless $2.empty? }
|
134
|
+
}
|
108
135
|
end
|
109
136
|
|
110
137
|
end
|
@@ -4,9 +4,9 @@
|
|
4
4
|
# apache_secure_download -- Apache module providing secure downloading #
|
5
5
|
# functionality #
|
6
6
|
# #
|
7
|
-
# Copyright (C) 2008 University of Cologne,
|
8
|
-
#
|
9
|
-
#
|
7
|
+
# Copyright (C) 2008-2010 University of Cologne, #
|
8
|
+
# Albertus-Magnus-Platz, #
|
9
|
+
# 50923 Cologne, Germany #
|
10
10
|
# #
|
11
11
|
# Authors: #
|
12
12
|
# Jens Wille <jens.wille@uni-koeln.de> #
|
@@ -27,7 +27,6 @@
|
|
27
27
|
###############################################################################
|
28
28
|
#++
|
29
29
|
|
30
|
-
require 'rubygems'
|
31
30
|
require 'apache/secure_download/util'
|
32
31
|
|
33
32
|
module Apache
|
@@ -38,11 +37,9 @@ module Apache
|
|
38
37
|
# The argument +secret+ is the shared secret string that the application
|
39
38
|
# uses to create valid URLs (tokens).
|
40
39
|
def initialize(secret, options = {})
|
41
|
-
@secret = secret
|
42
|
-
@deny = options[:deny]
|
43
|
-
@allow = options[:allow]
|
40
|
+
@secret, @deny, @allow = secret, *options.values_at(:deny, :allow)
|
44
41
|
|
45
|
-
raise ArgumentError, 'secret
|
42
|
+
raise ArgumentError, 'secret is missing' unless @secret.is_a?(String)
|
46
43
|
raise ArgumentError, ':deny is not a regexp' unless @deny.nil? || @deny.is_a?(Regexp)
|
47
44
|
raise ArgumentError, ':allow is not a regexp' unless @allow.nil? || @allow.is_a?(Regexp)
|
48
45
|
end
|
@@ -53,15 +50,18 @@ module Apache
|
|
53
50
|
# 2. The token is valid for the requested URL and the given timestamp
|
54
51
|
#
|
55
52
|
# If either condition doesn't hold true, access to the requested resource
|
56
|
-
# is
|
53
|
+
# is denied!
|
57
54
|
def check_access(request)
|
55
|
+
timestamp, token = request.param('timestamp'), request.param('token')
|
56
|
+
|
57
|
+
# Remove timestamp and token from query args
|
58
|
+
request.args = Util.real_query(request.args)
|
59
|
+
|
58
60
|
return FORBIDDEN if @deny && request.uri =~ @deny
|
59
61
|
return OK if @allow && request.uri =~ @allow
|
60
62
|
|
61
|
-
timestamp = request.param('timestamp')
|
62
|
-
|
63
63
|
return FORBIDDEN if timestamp.to_i < Time.now.to_i
|
64
|
-
return FORBIDDEN if
|
64
|
+
return FORBIDDEN if token != Util.token(@secret, request.unparsed_uri, timestamp)
|
65
65
|
|
66
66
|
return OK
|
67
67
|
end
|
metadata
CHANGED
@@ -1,7 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: apache_secure_download
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
|
4
|
+
hash: 13
|
5
|
+
prerelease: false
|
6
|
+
segments:
|
7
|
+
- 0
|
8
|
+
- 0
|
9
|
+
- 9
|
10
|
+
version: 0.0.9
|
5
11
|
platform: ruby
|
6
12
|
authors:
|
7
13
|
- Jens Wille
|
@@ -9,7 +15,7 @@ autorequire:
|
|
9
15
|
bindir: bin
|
10
16
|
cert_chain: []
|
11
17
|
|
12
|
-
date:
|
18
|
+
date: 2010-06-23 00:00:00 +02:00
|
13
19
|
default_executable:
|
14
20
|
dependencies: []
|
15
21
|
|
@@ -24,46 +30,54 @@ extra_rdoc_files:
|
|
24
30
|
- ChangeLog
|
25
31
|
- README
|
26
32
|
files:
|
27
|
-
- lib/apache/secure_download.rb
|
28
|
-
- lib/apache/secure_download/version.rb
|
29
33
|
- lib/apache/secure_download/util.rb
|
30
|
-
-
|
34
|
+
- lib/apache/secure_download/version.rb
|
35
|
+
- lib/apache/secure_download.rb
|
31
36
|
- README
|
32
37
|
- ChangeLog
|
33
38
|
- Rakefile
|
39
|
+
- COPYING
|
34
40
|
has_rdoc: true
|
35
41
|
homepage: http://prometheus.rubyforge.org/apache_secure_download
|
42
|
+
licenses: []
|
43
|
+
|
36
44
|
post_install_message:
|
37
45
|
rdoc_options:
|
38
|
-
- --inline-source
|
39
|
-
- --charset
|
40
|
-
- UTF-8
|
41
46
|
- --title
|
42
47
|
- apache_secure_download Application documentation
|
43
48
|
- --main
|
44
49
|
- README
|
45
|
-
- --all
|
46
50
|
- --line-numbers
|
51
|
+
- --inline-source
|
52
|
+
- --charset
|
53
|
+
- UTF-8
|
54
|
+
- --all
|
47
55
|
require_paths:
|
48
56
|
- lib
|
49
57
|
required_ruby_version: !ruby/object:Gem::Requirement
|
58
|
+
none: false
|
50
59
|
requirements:
|
51
60
|
- - ">="
|
52
61
|
- !ruby/object:Gem::Version
|
62
|
+
hash: 3
|
63
|
+
segments:
|
64
|
+
- 0
|
53
65
|
version: "0"
|
54
|
-
version:
|
55
66
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
67
|
+
none: false
|
56
68
|
requirements:
|
57
69
|
- - ">="
|
58
70
|
- !ruby/object:Gem::Version
|
71
|
+
hash: 3
|
72
|
+
segments:
|
73
|
+
- 0
|
59
74
|
version: "0"
|
60
|
-
version:
|
61
75
|
requirements: []
|
62
76
|
|
63
77
|
rubyforge_project: prometheus
|
64
|
-
rubygems_version: 1.
|
78
|
+
rubygems_version: 1.3.7
|
65
79
|
signing_key:
|
66
|
-
specification_version:
|
80
|
+
specification_version: 3
|
67
81
|
summary: Apache module providing secure downloading functionality, just like Mongrel Secure Download does for mongrel.
|
68
82
|
test_files: []
|
69
83
|
|