apache_secure_download 0.0.7.230 → 0.0.9

data/ChangeLog

@@ -1,5 +1,14 @@
 = Revision history for apache_secure_download
 
+== 0.0.9 [2010-06-23]
+
+* Remove timestamp and token from query args
+
+== 0.0.8 [2008-09-17]
+
+* Some (minor) refactoring
+* Account for URI fragment in Apache::SecureDownload::Util.secure_url
+
 == 0.0.7 [2008-03-31]
 
 * Fixed that token wouldn't respect query string when it should

data/README

@@ -2,7 +2,7 @@
 
 == VERSION
 
-This documentation refers to apache_secure_download version 0.0.7
+This documentation refers to apache_secure_download version 0.0.9
 
 
 == DESCRIPTION
@@ -45,6 +45,15 @@ And create links to your resources with timestamp and token:
 See Apache::SecureDownload::Util.secure_url for more examples.
 
 
+== LINKS
+
+<b></b>
+Documentation::     <http://prometheus.rubyforge.org/apache_secure_download>
+Source code (old):: <http://prometheus.rubyforge.org/svn/scratch/apache_secure_download>
+Source code::       <http://github.com/blackwinter/apache_secure_download>
+Rubyforge project:: <http://rubyforge.org/projects/prometheus>
+
+
 == AUTHORS
 
 * Jens Wille <mailto:jens.wille@uni-koeln.de>
@@ -52,8 +61,8 @@ See Apache::SecureDownload::Util.secure_url for more examples.
 
 == LICENSE AND COPYRIGHT
 
-Copyright (C) 2008 University of Cologne,
-Albertus-Magnus-Platz, 50932 Cologne, Germany
+Copyright (C) 2008-2010 University of Cologne,
+Albertus-Magnus-Platz, 50923 Cologne, Germany
 
 apache_secure_download is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by the Free

data/lib/apache/secure_download/util.rb

@@ -3,9 +3,9 @@
 #                                                                             #
 # A component of apache_secure_download.                                      #
 #                                                                             #
-# Copyright (C) 2008 University of Cologne,                                   #
-#                    Albertus-Magnus-Platz,                                   #
-#                    50932 Cologne, Germany                                   #
+# Copyright (C) 2008-2010 University of Cologne,                              #
+#                         Albertus-Magnus-Platz,                              #
+#                         50923 Cologne, Germany                              #
 #                                                                             #
 # Authors:                                                                    #
 #     Jens Wille <jens.wille@uni-koeln.de>                                    #
@@ -37,15 +37,6 @@ module Apache
 
       extend self
 
-      QUERY_RE = %r{([?&])timestamp=.*?&token=.*?(&|\z)}o
-
-      # Computes the token from +secret+, +path+, and +timestamp+.
-      def token(secret, path, timestamp)
-        Digest::SHA1.hexdigest(
-          secret + path.sub(QUERY_RE) { $1 unless $2.empty? } + timestamp.to_s
-        )
-      end
-
       # Creates a valid URL to the secured resource, identified by +url+. The
       # argument +secret+ is the shared secret string that has been passed to
       # the relevant RubyAccessHandler instance (cf. SecureDownload.new).
@@ -90,21 +81,57 @@ module Apache
       #   # 30 seconds later...
       #   secure_url(s, "/secure/url", :offset => 60) #=> "/secure/url?timestamp=1204024740&token=c7dcea5679ad539a7bad1dc4b7f44eb3dd36d6e8"
       def secure_url(secret, url, expires = Time.now + 60)
-        path, _, query = URI.split(url)[5..7]
-        path << '?' << query if query
-
         if expires.is_a?(Hash)
-          timestamp = (expires[:expires] || Time.now + (expires[:offset] ||= 60)).to_i
+          expires[:offset] ||= 60
+          cache = expires[:cache] || expires[:offset]
+
+          timestamp = (expires[:expires] || Time.now + expires[:offset]).to_i
 
-          unless expires[:cache] == false || (cache = expires[:cache] || expires[:offset]).zero?
-            # makes the URL cacheable for +cache+ seconds *on average*
+          unless cache == false || cache.zero?
+            # make the URL cacheable for +cache+ seconds *on average*
             timestamp = ((timestamp / cache.to_f).round + 1) * cache.to_i
           end
         else
           timestamp = expires.to_i
         end
 
-        url + "#{query ? '&' : '?'}timestamp=#{timestamp}&token=#{token(secret, path, timestamp)}"
+        path, query = URI.split(url).values_at(5, 7)
+        path << '?' << query if query
+
+        params = "timestamp=#{timestamp}&token=#{token(secret, path, timestamp)}"
+
+        url.sub(/#|\z/, "#{query ? '&' : '?'}#{params}\\&")
+      end
+
+      # Computes the token from +secret+, +path+, and +timestamp+.
+      def token(secret, path, timestamp)
+        Digest::SHA1.hexdigest("#{secret}#{real_path(path)}#{timestamp}")
+      end
+
+      # Returns +path+ with timestamp and token parameters removed.
+      def real_path(path)
+        clean(path, :path)
+      end
+
+      # Returns +query+ with timestamp and token parameters removed.
+      def real_query(query)
+        clean(query, :query)
+      end
+
+      private
+
+      # Returns +string+ with timestamp and token parameters removed.
+      # The +type+ indicates whether it's a _path_ or a _query_.
+      def clean(string, type)
+        char = case type
+          when :path  then '\?'
+          when :query then '\A'
+          else raise ArgumentError, "type #{type.inspect} not supported"
+        end
+
+        %w[timestamp token].inject(string) { |memo, key|
+          memo.sub(/(#{char}|&)#{key}=[^&]*(&?)/) { $1 unless $2.empty? }
+        }
       end
 
     end

data/lib/apache/secure_download/version.rb

@@ -6,7 +6,7 @@ module Apache
 
       MAJOR = 0
       MINOR = 0
-      TINY  = 7
+      TINY  = 9
 
       class << self
 

data/lib/apache/secure_download.rb

@@ -4,9 +4,9 @@
 # apache_secure_download -- Apache module providing secure downloading        #
 #                           functionality                                     #
 #                                                                             #
-# Copyright (C) 2008 University of Cologne,                                   #
-#                    Albertus-Magnus-Platz,                                   #
-#                    50932 Cologne, Germany                                   #
+# Copyright (C) 2008-2010 University of Cologne,                              #
+#                         Albertus-Magnus-Platz,                              #
+#                         50923 Cologne, Germany                              #
 #                                                                             #
 # Authors:                                                                    #
 #     Jens Wille <jens.wille@uni-koeln.de>                                    #
@@ -27,7 +27,6 @@
 ###############################################################################
 #++
 
-require 'rubygems'
 require 'apache/secure_download/util'
 
 module Apache
@@ -38,11 +37,9 @@ module Apache
     # The argument +secret+ is the shared secret string that the application
     # uses to create valid URLs (tokens).
     def initialize(secret, options = {})
-      @secret = secret
-      @deny   = options[:deny]
-      @allow  = options[:allow]
+      @secret, @deny, @allow = secret, *options.values_at(:deny, :allow)
 
-      raise ArgumentError, 'secret string missing'  unless @secret.is_a?(String)
+      raise ArgumentError, 'secret is missing'      unless @secret.is_a?(String)
       raise ArgumentError, ':deny is not a regexp'  unless @deny.nil?  || @deny.is_a?(Regexp)
       raise ArgumentError, ':allow is not a regexp' unless @allow.nil? || @allow.is_a?(Regexp)
     end
@@ -53,15 +50,18 @@ module Apache
     # 2. The token is valid for the requested URL and the given timestamp
     #
     # If either condition doesn't hold true, access to the requested resource
-    # is forbidden!
+    # is denied!
     def check_access(request)
+      timestamp, token = request.param('timestamp'), request.param('token')
+
+      # Remove timestamp and token from query args
+      request.args = Util.real_query(request.args)
+
       return FORBIDDEN if @deny  && request.uri =~ @deny
       return OK        if @allow && request.uri =~ @allow
 
-      timestamp = request.param('timestamp')
-
       return FORBIDDEN if timestamp.to_i < Time.now.to_i
-      return FORBIDDEN if request.param('token') != Util.token(@secret, request.unparsed_uri, timestamp)
+      return FORBIDDEN if token != Util.token(@secret, request.unparsed_uri, timestamp)
 
       return OK
     end

metadata

@@ -1,7 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: apache_secure_download
 version: !ruby/object:Gem::Version 
-  version: 0.0.7.230
+  hash: 13
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 9
+  version: 0.0.9
 platform: ruby
 authors: 
 - Jens Wille
@@ -9,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-03-31 00:00:00 +02:00
+date: 2010-06-23 00:00:00 +02:00
 default_executable: 
 dependencies: []
 
@@ -24,46 +30,54 @@ extra_rdoc_files:
 - ChangeLog
 - README
 files: 
-- lib/apache/secure_download.rb
-- lib/apache/secure_download/version.rb
 - lib/apache/secure_download/util.rb
-- COPYING
+- lib/apache/secure_download/version.rb
+- lib/apache/secure_download.rb
 - README
 - ChangeLog
 - Rakefile
+- COPYING
 has_rdoc: true
 homepage: http://prometheus.rubyforge.org/apache_secure_download
+licenses: []
+
 post_install_message: 
 rdoc_options: 
-- --inline-source
-- --charset
-- UTF-8
 - --title
 - apache_secure_download Application documentation
 - --main
 - README
-- --all
 - --line-numbers
+- --inline-source
+- --charset
+- UTF-8
+- --all
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 requirements: []
 
 rubyforge_project: prometheus
-rubygems_version: 1.0.1
+rubygems_version: 1.3.7
 signing_key: 
-specification_version: 2
+specification_version: 3
 summary: Apache module providing secure downloading functionality, just like Mongrel Secure Download does for mongrel.
 test_files: []