mongrel_secure_download-redux 0.0.2.199 → 0.0.3.200
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README +1 -1
- data/Rakefile +3 -1
- data/lib/mongrel_secure_download-redux/init.rb +40 -32
- metadata +7 -7
data/README
CHANGED
data/Rakefile
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'lib/mongrel_secure_download-redux/init'
|
|
2
|
+
|
|
1
3
|
begin
|
|
2
4
|
require 'hen'
|
|
3
5
|
|
|
@@ -7,7 +9,7 @@ begin
|
|
|
7
9
|
},
|
|
8
10
|
|
|
9
11
|
:gem => {
|
|
10
|
-
:version =>
|
|
12
|
+
:version => SecureDownloadRedux::VERSION,
|
|
11
13
|
:summary => 'Re-implementation of the Mongrel Secure Download Plugin',
|
|
12
14
|
:files => FileList['lib/**/*.rb'].to_a,
|
|
13
15
|
:extra_files => FileList['[A-Z]*', 'resources/*'].to_a,
|
|
@@ -8,26 +8,28 @@ require 'filemagic/ext'
|
|
|
8
8
|
|
|
9
9
|
class SecureDownloadRedux < GemPlugin::Plugin '/handlers'
|
|
10
10
|
|
|
11
|
+
# Our version ;-)
|
|
12
|
+
VERSION = '0.0.3'
|
|
13
|
+
|
|
11
14
|
include Mongrel::HttpHandlerPlugin
|
|
12
15
|
|
|
13
16
|
URL_RE = %r{\A(?:ht|f)tps?://}io
|
|
14
17
|
|
|
15
|
-
attr_reader :response, :secret, :base, :path, :timestamp, :token
|
|
16
|
-
|
|
17
18
|
def process(request, response)
|
|
18
|
-
|
|
19
|
+
@base = File.expand_path(@options[:base] || '.')
|
|
20
|
+
|
|
21
|
+
if @base == '/'
|
|
22
|
+
raise ArgumentError, 'specifying a base path of / is way too dangerous!'
|
|
23
|
+
end
|
|
19
24
|
|
|
20
|
-
@
|
|
21
|
-
@secret = @options[:secret]
|
|
22
|
-
@base = @options[:base] || '.'
|
|
23
|
-
@path = query['path']
|
|
24
|
-
@timestamp = query['timestamp']
|
|
25
|
-
@token = query['token']
|
|
25
|
+
@query = Mongrel::HttpRequest.query_parse(request.params['QUERY_STRING'])
|
|
26
26
|
|
|
27
27
|
if !required_params_given? || timeout? || !authorized?
|
|
28
28
|
response.start(@status) {}
|
|
29
29
|
else
|
|
30
|
-
@status
|
|
30
|
+
@status = 200 # OK
|
|
31
|
+
@response = response
|
|
32
|
+
|
|
31
33
|
url? ? send_url : send_file
|
|
32
34
|
end
|
|
33
35
|
end
|
|
@@ -36,71 +38,77 @@ class SecureDownloadRedux < GemPlugin::Plugin '/handlers'
|
|
|
36
38
|
|
|
37
39
|
def required_params_given?
|
|
38
40
|
@status = 500 # Internal Server Error
|
|
39
|
-
|
|
41
|
+
|
|
42
|
+
@secret = @options[:secret] and
|
|
43
|
+
@path = @query['path'] and
|
|
44
|
+
@timestamp = @query['timestamp'] and
|
|
45
|
+
@token = @query['token']
|
|
40
46
|
end
|
|
41
47
|
|
|
42
48
|
def timeout?
|
|
43
49
|
@status = 408 # Request Timeout
|
|
44
|
-
timestamp.to_i < Time.now.to_i
|
|
50
|
+
@timestamp.to_i < Time.now.to_i
|
|
45
51
|
end
|
|
46
52
|
|
|
47
53
|
def authorized?
|
|
48
54
|
@status = 403 # Forbidden
|
|
49
|
-
token == compute_token
|
|
55
|
+
@token == compute_token
|
|
50
56
|
end
|
|
51
57
|
|
|
52
58
|
def compute_token
|
|
53
|
-
Digest::SHA1.hexdigest(secret + path + timestamp)
|
|
59
|
+
Digest::SHA1.hexdigest(@secret + @path + @timestamp)
|
|
54
60
|
end
|
|
55
61
|
|
|
56
62
|
def url?
|
|
57
|
-
path =~ URL_RE
|
|
63
|
+
@path =~ URL_RE
|
|
58
64
|
end
|
|
59
65
|
|
|
60
66
|
def send_url_read
|
|
61
|
-
response.body = open(path) unless @header_only
|
|
62
|
-
response.send_body
|
|
67
|
+
@response.body = open(@path) unless @header_only
|
|
68
|
+
@response.send_body
|
|
63
69
|
end
|
|
64
70
|
|
|
65
71
|
def send_url_redirect1
|
|
66
72
|
@status = 303 # See Other vs. Found (302) vs. Temporary Redirect (307)
|
|
67
73
|
|
|
68
|
-
response.start(@status, true) { |head, body|
|
|
69
|
-
head['Location'] = path
|
|
74
|
+
@response.start(@status, true) { |head, body|
|
|
75
|
+
head['Location'] = @path
|
|
70
76
|
#head['Content-type'] = ???
|
|
71
77
|
|
|
72
|
-
body.write(%Q{See <a href="#{path}">#{path}</a>})
|
|
78
|
+
body.write(%Q{See <a href="#{@path}">#{@path}</a>})
|
|
73
79
|
}
|
|
74
80
|
end
|
|
75
81
|
|
|
76
82
|
def send_url_redirect2
|
|
77
|
-
response.socket.write(Mongrel::Const::REDIRECT % path)
|
|
83
|
+
@response.socket.write(Mongrel::Const::REDIRECT % @path)
|
|
78
84
|
end
|
|
79
85
|
|
|
80
86
|
# Choose your alternative:
|
|
81
|
-
alias_method :send_url, :
|
|
87
|
+
alias_method :send_url, :send_url_read
|
|
88
|
+
#alias_method :send_url, :send_url_redirect1
|
|
89
|
+
#alias_method :send_url, :send_url_redirect2
|
|
82
90
|
|
|
83
91
|
def send_file
|
|
84
|
-
path = File.expand_path(File.join(base, @path))
|
|
92
|
+
path = File.expand_path(File.join(@base, @path))
|
|
85
93
|
|
|
86
94
|
# Prevent double-dot vulnerability!
|
|
87
|
-
return unless path =~ %r{\A#{Regexp.escape(
|
|
95
|
+
return unless path =~ %r{\A#{Regexp.escape(@base)}/}
|
|
88
96
|
|
|
89
97
|
file = File.stat(path)
|
|
90
98
|
size = file.size
|
|
91
99
|
time = file.mtime
|
|
92
100
|
|
|
93
|
-
response.status = @status
|
|
101
|
+
@response.status = @status
|
|
94
102
|
|
|
95
|
-
response.header[Mongrel::Const::LAST_MODIFIED] = time.httpdate
|
|
96
|
-
response.header[Mongrel::Const::ETAG] = Mongrel::Const::ETAG_FORMAT % [time.to_i, size, file.ino]
|
|
97
|
-
response.header[Mongrel::Const::CONTENT_TYPE] = File.content_type(path) || @default_content_type
|
|
98
|
-
response.header['Content-Disposition'] = %Q{inline; filename="#{File.basename(path)}"}
|
|
103
|
+
@response.header[Mongrel::Const::LAST_MODIFIED] = time.httpdate
|
|
104
|
+
@response.header[Mongrel::Const::ETAG] = Mongrel::Const::ETAG_FORMAT % [time.to_i, size, file.ino]
|
|
105
|
+
@response.header[Mongrel::Const::CONTENT_TYPE] = File.content_type(path) || @default_content_type
|
|
106
|
+
@response.header['Content-Disposition'] = %Q{inline; filename="#{File.basename(path)}"}
|
|
99
107
|
|
|
100
|
-
response.send_status(size)
|
|
101
|
-
response.send_header
|
|
108
|
+
@response.send_status(size)
|
|
109
|
+
@response.send_header
|
|
102
110
|
|
|
103
|
-
@header_only ? response.send_body : response.send_file(path)
|
|
111
|
+
@header_only ? @response.send_body : @response.send_file(@path)
|
|
104
112
|
end
|
|
105
113
|
|
|
106
114
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mongrel_secure_download-redux
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.3.200
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jens Wille
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2008-02-
|
|
12
|
+
date: 2008-02-14 00:00:00 +01:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
@@ -42,22 +42,22 @@ extra_rdoc_files:
|
|
|
42
42
|
files:
|
|
43
43
|
- lib/mongrel_secure_download-redux/init.rb
|
|
44
44
|
- COPYING
|
|
45
|
-
- Rakefile
|
|
46
45
|
- README
|
|
46
|
+
- Rakefile
|
|
47
47
|
- resources/defaults.yaml
|
|
48
48
|
has_rdoc: true
|
|
49
49
|
homepage: http://prometheus.rubyforge.org/mongrel_secure_download-redux
|
|
50
50
|
post_install_message:
|
|
51
51
|
rdoc_options:
|
|
52
|
-
- --
|
|
52
|
+
- --line-numbers
|
|
53
53
|
- --main
|
|
54
54
|
- README
|
|
55
|
-
- --
|
|
55
|
+
- --title
|
|
56
|
+
- mongrel_secure_download-redux Application documentation
|
|
56
57
|
- --inline-source
|
|
57
58
|
- --charset
|
|
58
59
|
- UTF-8
|
|
59
|
-
- --
|
|
60
|
-
- mongrel_secure_download-redux Application documentation
|
|
60
|
+
- --all
|
|
61
61
|
require_paths:
|
|
62
62
|
- lib
|
|
63
63
|
required_ruby_version: !ruby/object:Gem::Requirement
|