mongrel_secure_download-redux 0.0.2.199 → 0.0.3.200
Sign up to get free protection for your applications and to get access to all the features.
- data/README +1 -1
- data/Rakefile +3 -1
- data/lib/mongrel_secure_download-redux/init.rb +40 -32
- metadata +7 -7
data/README
CHANGED
data/Rakefile
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'lib/mongrel_secure_download-redux/init'
|
|
2
|
+
|
|
1
3
|
begin
|
|
2
4
|
require 'hen'
|
|
3
5
|
|
|
@@ -7,7 +9,7 @@ begin
|
|
|
7
9
|
},
|
|
8
10
|
|
|
9
11
|
:gem => {
|
|
10
|
-
:version =>
|
|
12
|
+
:version => SecureDownloadRedux::VERSION,
|
|
11
13
|
:summary => 'Re-implementation of the Mongrel Secure Download Plugin',
|
|
12
14
|
:files => FileList['lib/**/*.rb'].to_a,
|
|
13
15
|
:extra_files => FileList['[A-Z]*', 'resources/*'].to_a,
|
|
@@ -8,26 +8,28 @@ require 'filemagic/ext'
|
|
|
8
8
|
|
|
9
9
|
class SecureDownloadRedux < GemPlugin::Plugin '/handlers'
|
|
10
10
|
|
|
11
|
+
# Our version ;-)
|
|
12
|
+
VERSION = '0.0.3'
|
|
13
|
+
|
|
11
14
|
include Mongrel::HttpHandlerPlugin
|
|
12
15
|
|
|
13
16
|
URL_RE = %r{\A(?:ht|f)tps?://}io
|
|
14
17
|
|
|
15
|
-
attr_reader :response, :secret, :base, :path, :timestamp, :token
|
|
16
|
-
|
|
17
18
|
def process(request, response)
|
|
18
|
-
|
|
19
|
+
@base = File.expand_path(@options[:base] || '.')
|
|
20
|
+
|
|
21
|
+
if @base == '/'
|
|
22
|
+
raise ArgumentError, 'specifying a base path of / is way too dangerous!'
|
|
23
|
+
end
|
|
19
24
|
|
|
20
|
-
@
|
|
21
|
-
@secret = @options[:secret]
|
|
22
|
-
@base = @options[:base] || '.'
|
|
23
|
-
@path = query['path']
|
|
24
|
-
@timestamp = query['timestamp']
|
|
25
|
-
@token = query['token']
|
|
25
|
+
@query = Mongrel::HttpRequest.query_parse(request.params['QUERY_STRING'])
|
|
26
26
|
|
|
27
27
|
if !required_params_given? || timeout? || !authorized?
|
|
28
28
|
response.start(@status) {}
|
|
29
29
|
else
|
|
30
|
-
@status
|
|
30
|
+
@status = 200 # OK
|
|
31
|
+
@response = response
|
|
32
|
+
|
|
31
33
|
url? ? send_url : send_file
|
|
32
34
|
end
|
|
33
35
|
end
|
|
@@ -36,71 +38,77 @@ class SecureDownloadRedux < GemPlugin::Plugin '/handlers'
|
|
|
36
38
|
|
|
37
39
|
def required_params_given?
|
|
38
40
|
@status = 500 # Internal Server Error
|
|
39
|
-
|
|
41
|
+
|
|
42
|
+
@secret = @options[:secret] and
|
|
43
|
+
@path = @query['path'] and
|
|
44
|
+
@timestamp = @query['timestamp'] and
|
|
45
|
+
@token = @query['token']
|
|
40
46
|
end
|
|
41
47
|
|
|
42
48
|
def timeout?
|
|
43
49
|
@status = 408 # Request Timeout
|
|
44
|
-
timestamp.to_i < Time.now.to_i
|
|
50
|
+
@timestamp.to_i < Time.now.to_i
|
|
45
51
|
end
|
|
46
52
|
|
|
47
53
|
def authorized?
|
|
48
54
|
@status = 403 # Forbidden
|
|
49
|
-
token == compute_token
|
|
55
|
+
@token == compute_token
|
|
50
56
|
end
|
|
51
57
|
|
|
52
58
|
def compute_token
|
|
53
|
-
Digest::SHA1.hexdigest(secret + path + timestamp)
|
|
59
|
+
Digest::SHA1.hexdigest(@secret + @path + @timestamp)
|
|
54
60
|
end
|
|
55
61
|
|
|
56
62
|
def url?
|
|
57
|
-
path =~ URL_RE
|
|
63
|
+
@path =~ URL_RE
|
|
58
64
|
end
|
|
59
65
|
|
|
60
66
|
def send_url_read
|
|
61
|
-
response.body = open(path) unless @header_only
|
|
62
|
-
response.send_body
|
|
67
|
+
@response.body = open(@path) unless @header_only
|
|
68
|
+
@response.send_body
|
|
63
69
|
end
|
|
64
70
|
|
|
65
71
|
def send_url_redirect1
|
|
66
72
|
@status = 303 # See Other vs. Found (302) vs. Temporary Redirect (307)
|
|
67
73
|
|
|
68
|
-
response.start(@status, true) { |head, body|
|
|
69
|
-
head['Location'] = path
|
|
74
|
+
@response.start(@status, true) { |head, body|
|
|
75
|
+
head['Location'] = @path
|
|
70
76
|
#head['Content-type'] = ???
|
|
71
77
|
|
|
72
|
-
body.write(%Q{See <a href="#{path}">#{path}</a>})
|
|
78
|
+
body.write(%Q{See <a href="#{@path}">#{@path}</a>})
|
|
73
79
|
}
|
|
74
80
|
end
|
|
75
81
|
|
|
76
82
|
def send_url_redirect2
|
|
77
|
-
response.socket.write(Mongrel::Const::REDIRECT % path)
|
|
83
|
+
@response.socket.write(Mongrel::Const::REDIRECT % @path)
|
|
78
84
|
end
|
|
79
85
|
|
|
80
86
|
# Choose your alternative:
|
|
81
|
-
alias_method :send_url, :
|
|
87
|
+
alias_method :send_url, :send_url_read
|
|
88
|
+
#alias_method :send_url, :send_url_redirect1
|
|
89
|
+
#alias_method :send_url, :send_url_redirect2
|
|
82
90
|
|
|
83
91
|
def send_file
|
|
84
|
-
path = File.expand_path(File.join(base, @path))
|
|
92
|
+
path = File.expand_path(File.join(@base, @path))
|
|
85
93
|
|
|
86
94
|
# Prevent double-dot vulnerability!
|
|
87
|
-
return unless path =~ %r{\A#{Regexp.escape(
|
|
95
|
+
return unless path =~ %r{\A#{Regexp.escape(@base)}/}
|
|
88
96
|
|
|
89
97
|
file = File.stat(path)
|
|
90
98
|
size = file.size
|
|
91
99
|
time = file.mtime
|
|
92
100
|
|
|
93
|
-
response.status = @status
|
|
101
|
+
@response.status = @status
|
|
94
102
|
|
|
95
|
-
response.header[Mongrel::Const::LAST_MODIFIED] = time.httpdate
|
|
96
|
-
response.header[Mongrel::Const::ETAG] = Mongrel::Const::ETAG_FORMAT % [time.to_i, size, file.ino]
|
|
97
|
-
response.header[Mongrel::Const::CONTENT_TYPE] = File.content_type(path) || @default_content_type
|
|
98
|
-
response.header['Content-Disposition'] = %Q{inline; filename="#{File.basename(path)}"}
|
|
103
|
+
@response.header[Mongrel::Const::LAST_MODIFIED] = time.httpdate
|
|
104
|
+
@response.header[Mongrel::Const::ETAG] = Mongrel::Const::ETAG_FORMAT % [time.to_i, size, file.ino]
|
|
105
|
+
@response.header[Mongrel::Const::CONTENT_TYPE] = File.content_type(path) || @default_content_type
|
|
106
|
+
@response.header['Content-Disposition'] = %Q{inline; filename="#{File.basename(path)}"}
|
|
99
107
|
|
|
100
|
-
response.send_status(size)
|
|
101
|
-
response.send_header
|
|
108
|
+
@response.send_status(size)
|
|
109
|
+
@response.send_header
|
|
102
110
|
|
|
103
|
-
@header_only ? response.send_body : response.send_file(path)
|
|
111
|
+
@header_only ? @response.send_body : @response.send_file(@path)
|
|
104
112
|
end
|
|
105
113
|
|
|
106
114
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mongrel_secure_download-redux
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.3.200
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jens Wille
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2008-02-
|
|
12
|
+
date: 2008-02-14 00:00:00 +01:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
@@ -42,22 +42,22 @@ extra_rdoc_files:
|
|
|
42
42
|
files:
|
|
43
43
|
- lib/mongrel_secure_download-redux/init.rb
|
|
44
44
|
- COPYING
|
|
45
|
-
- Rakefile
|
|
46
45
|
- README
|
|
46
|
+
- Rakefile
|
|
47
47
|
- resources/defaults.yaml
|
|
48
48
|
has_rdoc: true
|
|
49
49
|
homepage: http://prometheus.rubyforge.org/mongrel_secure_download-redux
|
|
50
50
|
post_install_message:
|
|
51
51
|
rdoc_options:
|
|
52
|
-
- --
|
|
52
|
+
- --line-numbers
|
|
53
53
|
- --main
|
|
54
54
|
- README
|
|
55
|
-
- --
|
|
55
|
+
- --title
|
|
56
|
+
- mongrel_secure_download-redux Application documentation
|
|
56
57
|
- --inline-source
|
|
57
58
|
- --charset
|
|
58
59
|
- UTF-8
|
|
59
|
-
- --
|
|
60
|
-
- mongrel_secure_download-redux Application documentation
|
|
60
|
+
- --all
|
|
61
61
|
require_paths:
|
|
62
62
|
- lib
|
|
63
63
|
required_ruby_version: !ruby/object:Gem::Requirement
|