You are viewing a plain text version of this content. The canonical link for it is here.
Posted to asp@perl.apache.org by ri...@crosswired.co.uk on 2003/01/03 10:59:06 UTC
Security implemention question
Hi all.
I am working on an application for which there are two levels of user.
User level 1 must upload files to the server, and user level 2 must be able
to download any files uploaded by users of level 1.
I have already implemented page level security to restrict each level user to
the pages for which they are authorised. My problem is that for user level 2
to be able to download these files, they must be placed somewhere within the
webroot. I want to prevent user level 1 from downloading these files as they
are only intended for downloading by users of level 2.
The only idea I had was to store all files outside of the webroot, and when a
user of level 2 wants to download these files, they are copied to somewhere in
the webroot, with a filename such as
"$current-PID_$current-unixtime_$filename". Furthermore, periodically, (every
hour for example), delete all files in this folder which are older than an
hour.
This way, by also preventing directory listing of this folder, the only way a
user of level 1 could get these files would be to guess the PID, unix
timestamp, and filename, all within an hour (before they are cleaned away
again).
This I dont think is very likely.
Can anyone either point out any major problems with this approach, or
alternatively (preferably), suggest a better alternative ?
In case it makes any difference to peoples ideas/views, I am not using Apache
for access control. Users authenticate against a database, then on each page
they visit, their user level (taken from the session object) is checked
against the access level required for that page.
I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl 5.6.1
Thanks for any advice / feedback
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Security implemention question
Posted by Josh Chamas <jo...@chamas.com>.
Richard Curtis wrote:
> >Can anyone either point out any major problems with this approach, or
> ---
>
> Sorry for taking so long to reply, but I had email "issues".
> Thanks for this suggestion - it sounds like it will probably be just what I
> need.
> I have one further question though. Is there a list somewhere of all the
> "ContentTypes".
> Eg, if I am sending a word document, or a PDF, what is the content type ?
>
In your apache distribution, you should have the file mime.types.
Here are a couple lines from that file:
application/msword doc
application/pdf pdf
Note, that for some browsers, they are not smart enough to
know what this mime types tra pdf
Note, that for some browsers, they are not smart enough to
know what this mime types translate to, so you should also make sure
to end the download URL with the document extension, like this:
/download.asp?file=real_file_name.doc
Especially for systems that associate extensions with applications,
this can work pretty well.
Regards,nslate to, so you should also make sure
to end the download URL with the document extension, like this:
/download.asp?file=real_file_name.doc
Especially for systems that a pdf
Note, that for some browsers, they are not smart enough to
know what this mime types translate to, so you should also make sure
to end the download URL with the document extension, like this:
/download.asp?file=real_file_name.doc
Especially for systems that associate extensions with applications,
this can work pretty well.
Regards,ssociate extensions with applications,
this trick can work pretty well.
Regards,
Josh
________________________________________________________________
Josh Chamas, Founder phone:925-552-0128
Chamas Enterprises Inc. http://www.chamas.com
NodeWorks Link Checking http://www.nodeworks.com
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Security implemention question
Posted by Richard Curtis <ri...@crosswired.co.uk>.
>Can anyone either point out any major problems with this approach, or
> >alternatively (preferably), suggest a better alternative ?
> >In case it makes any difference to peoples ideas/views, I am not using
Apache
> >for access control. Users authenticate against a database, then on each
page
> >they visit, their user level (taken from the session object) is checked
> >against the access level required for that page.
> >
> Since You already have the users level is the Session object, you can
> have an asp handle the downloads, like this:
> - check if the user has the required level.
> - set $Response->{ContentType} to whatever it is you want
> - open the (out of the webroot) file and while reading it, output to
> the client.
---
Sorry for taking so long to reply, but I had email "issues".
Thanks for this suggestion - it sounds like it will probably be just what I
need.
I have one further question though. Is there a list somewhere of all the
"ContentTypes".
Eg, if I am sending a word document, or a PDF, what is the content type ?
Thanks
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Security implemention question
Posted by Thanos Chatziathanassiou <tc...@arx.gr>.
Hi Richard,
Happy new year to the list, BTW.
richard@crosswired.co.uk wrote:
>Can anyone either point out any major problems with this approach, or
>alternatively (preferably), suggest a better alternative ?
>In case it makes any difference to peoples ideas/views, I am not using Apache
>for access control. Users authenticate against a database, then on each page
>they visit, their user level (taken from the session object) is checked
>against the access level required for that page.
>
Since You already have the users level is the Session object, you can
have an asp handle the downloads, like this:
- check if the user has the required level.
- set $Response->{ContentType} to whatever it is you want
- open the (out of the webroot) file and while reading it, output to
the client.
Now with this approach you will avoid the constant back and forth
copying of files and
the remote possibility that a user can guess the filename, but there are
some drawbacks:
- the ``heavy'' apache mod_perl process will be tied up for the duration
of the download, so depending on your setup, the size of the download
and the speed of the clients you might need more httpds running. The
mod_perl guide can help you more on this - rather large - subject
(http://perl.apache.org/docs/1.0/guide/index.html)
I really don't know if the above is a better solution, just a thought.
Regards,
Thanos Chatziathanassiou
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: BinaryWrite and filenames
Posted by Csongor Fagyal <co...@conceptonline.hu>.
>
>
>href="http://url/download.asp/filename.zip?.asp&file=filename.zip">fi
>lename.zip</a>
>
>You shouldn't need to call the script with the filename, and it
>might not be desireable or practical.
>
Well, my download.asp read and output the file given by the file
parameter, so it was kind of necessary where I used this :-) This is a
copy-paste working example, not how you should do it.
> The ContentType I believe has
>worked for me.
>
It did not work for me on all browsers, though. Some browsers (I don't
remember which one) just wanted to download script.asp all the time,
that is why the fancy parametering is used in my example.
- Cs.
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: BinaryWrite and filenames
Posted by "Tim Moore <timj_moore@yahoo.co.uk>" <ti...@yahoo.co.uk>.
--- In apache-asp@yahoogroups.com, Csongor Fagyal <co...@c...>
wrote:
> Richard Curtis wrote:
>
> >
> >>> Hi.
> >>> I am trying to implement binary write code, and have it
working
> >>> with the code shown below (note: this is only sample code -
this
> >>> code would not be put into production and I am aware of the
problems
> >>> it currently has). I still have one problem which has me
stumped.
> >>>
> >>> Any file sent to the browser this way always takes the name of
the
> >>> running script. Eg, so I am streaming "test.zip" but when the
file
> >>> save as dialog pops up, it offers the name
of "downloadTest.asp".
> >>
> >>
> >>
> >> Try calling your script as
> >> <a href="..../downloadTest.asp?file=test.zip">
> >>
> >> It should trick your browser.
> >>
> >> - Cs.
> >
> >
> > Thanks for the advice, but unfortunately it did not work for me.
> > I have found a solution which is to set
> > "$Response->AddHeader('Content-Disposition',"attachment;
> > filename=test.zip");"
> >
> > This works fine in Konquerer, and Mozilla 1.1 on Linux, and on
Windows
> > IE, Opera, but NOT Mozilla 1.2.1.
> > I am guessing it might be a mozilla bug as mozilla names the
> > downloadable file to be "test.zip.asp"
> >
> > Anyone got any thoughts ?
>
> Sorry, my original post was wrong. But this one is working for me
on all
> browsers:
> <a
>
href="http://url/download.asp/filename.zip?.asp&file=filename.zip">fi
lename.zip</a>
You shouldn't need to call the script with the filename, and it
might not be desireable or practical. The ContentType I believe has
worked for me. I can't remember off hand, I'd have to check the
details at work. I know Content-Disposition is often required for
emails though as is perfectly legit MIME.
This seems to be a general ASP problem, not just Apache::ASP. There
are plenty of IIS ASP BinaryWrite and filename problems on
groups.google.com (Content-disposition being one solution).
P.S. With PDFs there are additional problems with the Acrobat reader
plug-in. One in particular was the need to set the Content-Length.
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: BinaryWrite and filenames
Posted by Csongor Fagyal <co...@conceptonline.hu>.
Richard Curtis wrote:
>
>>> Hi.
>>> I am trying to implement binary write code, and have it working
>>> with the code shown below (note: this is only sample code - this
>>> code would not be put into production and I am aware of the problems
>>> it currently has). I still have one problem which has me stumped.
>>>
>>> Any file sent to the browser this way always takes the name of the
>>> running script. Eg, so I am streaming "test.zip" but when the file
>>> save as dialog pops up, it offers the name of "downloadTest.asp".
>>
>>
>>
>> Try calling your script as
>> <a href="..../downloadTest.asp?file=test.zip">
>>
>> It should trick your browser.
>>
>> - Cs.
>
>
> Thanks for the advice, but unfortunately it did not work for me.
> I have found a solution which is to set
> "$Response->AddHeader('Content-Disposition',"attachment;
> filename=test.zip");"
>
> This works fine in Konquerer, and Mozilla 1.1 on Linux, and on Windows
> IE, Opera, but NOT Mozilla 1.2.1.
> I am guessing it might be a mozilla bug as mozilla names the
> downloadable file to be "test.zip.asp"
>
> Anyone got any thoughts ?
Sorry, my original post was wrong. But this one is working for me on all
browsers:
<a
href="http://url/download.asp/filename.zip?.asp&file=filename.zip">filename.zip</a>
- Cs.
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: BinaryWrite and filenames
Posted by Richard Curtis <ri...@crosswired.co.uk>.
>> Hi.
>> I am trying to implement binary write code, and have it working with
>> the code shown below (note: this is only sample code - this code would
>> not be put into production and I am aware of the problems it currently
>> has). I still have one problem which has me stumped.
>>
>> Any file sent to the browser this way always takes the name of the
>> running script. Eg, so I am streaming "test.zip" but when the file
>> save as dialog pops up, it offers the name of "downloadTest.asp".
>
>
> Try calling your script as
> <a href="..../downloadTest.asp?file=test.zip">
>
> It should trick your browser.
>
> - Cs.
Thanks for the advice, but unfortunately it did not work for me.
I have found a solution which is to set
"$Response->AddHeader('Content-Disposition',"attachment;
filename=test.zip");"
This works fine in Konquerer, and Mozilla 1.1 on Linux, and on Windows
IE, Opera, but NOT Mozilla 1.2.1.
I am guessing it might be a mozilla bug as mozilla names the
downloadable file to be "test.zip.asp"
Anyone got any thoughts ?
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: BinaryWrite and filenames
Posted by Csongor Fagyal <co...@conceptonline.hu>.
Richard Curtis wrote:
> Hi.
> I am trying to implement binary write code, and have it working with
> the code shown below (note: this is only sample code - this code would
> not be put into production and I am aware of the problems it currently
> has). I still have one problem which has me stumped.
>
> Any file sent to the browser this way always takes the name of the
> running script. Eg, so I am streaming "test.zip" but when the file
> save as dialog pops up, it offers the name of "downloadTest.asp".
Try calling your script as
<a href="..../downloadTest.asp?file=test.zip">
It should trick your browser.
- Cs.
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
BinaryWrite and filenames
Posted by Richard Curtis <ri...@crosswired.co.uk>.
Hi.
I am trying to implement binary write code, and have it working with
the code shown below (note: this is only sample code - this code would
not be put into production and I am aware of the problems it currently
has). I still have one problem which has me stumped.
Any file sent to the browser this way always takes the name of the
running script. Eg, so I am streaming "test.zip" but when the file save
as dialog pops up, it offers the name of "downloadTest.asp".
Is there a way around this ?
I am guessing I need to add another header, but cant find what to add :(
This is the source:
"downloadTest.asp"
<%
$Response->{ContentType} = "application/pdf";
my $file = "/home/testapp/data/downloads/test.pdf";
open FH, $file;
binmode FH;
$/ = undef;
my $data = <FH>;
$Response->Clear;
$Response->AddHeader('Content-Length',length $data);
$Response->BinaryWrite($data);
$Response->End;
%>
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Security implemention question
Posted by Theo Schlossnagle <je...@omniti.com>.
On Friday, Jan 3, 2003, at 04:59 US/Eastern, richard@crosswired.co.uk
wrote:
> I have already implemented page level security to restrict each level
> user to
> the pages for which they are authorised. My problem is that for user
> level 2
> to be able to download these files, they must be placed somewhere
> within the
> webroot. I want to prevent user level 1 from downloading these files
> as they
> are only intended for downloading by users of level 2.
>
> [ ... snip ... ]
>
> I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl
> 5.6.1
>
> Thanks for any advice / feedback
If you don't mind using you mod_perl instances to serve files (your
site is low traffic and this won't hurt you). Then write a mod_perl
PerlAccessHandler to deny people access. Implement all of your login
system in a PerlAuthenHandler. Then just have simple login page.
There are some good example of this in the mod_perl cookbook.
The big advantage of this is that you never really need to "know" how
to auth someone to write another web page for your site. It is
provided for you by your Authen handler before you page is ever loaded.
Also, your Authen handler can do slick things like put an instance of a
"User" object in the Apache request notes. and the "new" method for
your User object can look there first... This allows you to blindly
call:
my $user = User->new();
at the top of any ASP page and have full access to that user's object.
And you _know_ it will be populated with valid data because they passed
through your Authen/Access handlers and it was actually built in there
-- of course, it does hurt to check ;-)
--
Theo Schlossnagle
Principal Consultant
OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
Phone: +1 410 872 4910 x201 Fax: +1 410 872 4911
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org