apache_secure_download 0.0.6.229 → 0.0.7.230

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/ChangeLog CHANGED
@@ -1,5 +1,10 @@
1
1
  = Revision history for apache_secure_download
2
2
 
3
+ == 0.0.7 [2008-03-31]
4
+
5
+ * Fixed that token wouldn't respect query string when it should
6
+ * Added sanity checks for arguments to Apache::SecureDownload.new
7
+
3
8
  == 0.0.6 [2008-03-29]
4
9
 
5
10
  * Reverted v0.0.5
data/README CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  == VERSION
4
4
 
5
- This documentation refers to apache_secure_download version 0.0.6
5
+ This documentation refers to apache_secure_download version 0.0.7
6
6
 
7
7
 
8
8
  == DESCRIPTION
@@ -12,7 +12,11 @@ Place the following snippet in your Apache config:
12
12
  # protect files by Apache Secure Download
13
13
  <IfModule mod_ruby.c>
14
14
  RubyRequire apache/ruby-run
15
+
15
16
  RubyRequire /path/to/apache_secure_download
17
+ # or
18
+ #RubyRequire rubygems
19
+ #RubyRequire apache/secure_download
16
20
 
17
21
  <Location /secure>
18
22
  # pass your shared secret string to the handler -- secret means SECRET!
@@ -37,9 +37,13 @@ module Apache
37
37
 
38
38
  extend self
39
39
 
40
+ QUERY_RE = %r{([?&])timestamp=.*?&token=.*?(&|\z)}o
41
+
40
42
  # Computes the token from +secret+, +path+, and +timestamp+.
41
43
  def token(secret, path, timestamp)
42
- Digest::SHA1.hexdigest(secret + path + timestamp.to_s)
44
+ Digest::SHA1.hexdigest(
45
+ secret + path.sub(QUERY_RE) { $1 unless $2.empty? } + timestamp.to_s
46
+ )
43
47
  end
44
48
 
45
49
  # Creates a valid URL to the secured resource, identified by +url+. The
@@ -6,7 +6,7 @@ module Apache
6
6
 
7
7
  MAJOR = 0
8
8
  MINOR = 0
9
- TINY = 6
9
+ TINY = 7
10
10
 
11
11
  class << self
12
12
 
@@ -38,11 +38,13 @@ module Apache
38
38
  # The argument +secret+ is the shared secret string that the application
39
39
  # uses to create valid URLs (tokens).
40
40
  def initialize(secret, options = {})
41
- raise ArgumentError, 'secret string missing' unless secret.is_a?(String)
42
-
43
41
  @secret = secret
44
- @allow = options[:allow]
45
42
  @deny = options[:deny]
43
+ @allow = options[:allow]
44
+
45
+ raise ArgumentError, 'secret string missing' unless @secret.is_a?(String)
46
+ raise ArgumentError, ':deny is not a regexp' unless @deny.nil? || @deny.is_a?(Regexp)
47
+ raise ArgumentError, ':allow is not a regexp' unless @allow.nil? || @allow.is_a?(Regexp)
46
48
  end
47
49
 
48
50
  # Checks whether the current +request+ satisfies the following requirements:
@@ -59,7 +61,7 @@ module Apache
59
61
  timestamp = request.param('timestamp')
60
62
 
61
63
  return FORBIDDEN if timestamp.to_i < Time.now.to_i
62
- return FORBIDDEN if request.param('token') != Util.token(@secret, request.uri, timestamp)
64
+ return FORBIDDEN if request.param('token') != Util.token(@secret, request.unparsed_uri, timestamp)
63
65
 
64
66
  return OK
65
67
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: apache_secure_download
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.6.229
4
+ version: 0.0.7.230
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jens Wille
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
11
 
12
- date: 2008-03-29 00:00:00 +01:00
12
+ date: 2008-03-31 00:00:00 +02:00
13
13
  default_executable:
14
14
  dependencies: []
15
15