Re: Secure htaccess in a non-SSL Apache (and withoutDigest...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel,

--On 29 June 2012 14:04:01 +0200 Daniel Merino <daniel.merino@xxxxxxxxxxx> wrote:

You have talked about perl and mod_perl. I understand that you can
override htaccess to use a self-made bit of Perl code that process it and
check the token. Is this right?

You don't need to override htaccess.

Here's a piece of perl found through a random google search to send
a file:
http://rasterweb.net/raster/code/sendfile.html
You'll need to change the header as appropriate. Drop that in as
a CGI script (there are a million examples of perl CGI howtos).
It would be more efficient if it used sendfile.

All you need to do is modify that perl CGI script to check the
GET parameters. My idea was simply to use parameters for your video
name, the time, the user, and perhaps a random nonce, and also pass
a hash of those. So, CGI document is here:
 http://perldoc.perl.org/CGI.html
and you might want to do something like (completely untested):

   use CGI;
   use Digest::SHA qw(sha256_base64 sha256);

   my $secret = '[perhaps read this from a file]';

   my $video = CGI::url_param('video');
   my $user = CGI::url_param('user');
   my $time = CGI::url_param('time');
   my $nonce = CGI::url_param('nonce');
   my $hash = CGI::url_param('hash');

   # Sanitize all the above with regexps, i.e. check defined, non-empty

   my $checkhash = sha256_base64($video."\n".$user."\n".$time."\n".
                                 $nonce."\n".$secret);
   Send404 unless ($checkhash eq $hash);

   my $checktime = time();

   # Exit unless less than 10 seconds out
   Send404 unless (abs($checktime - $time) < 10);

   ...

   # send the file here


When generating the link, you will have to generate the hash in the same
way, and of course a random nonce value.

So anyone can access your CGI program without any protection. However, they
will have to have an appropriate token (being the hash file) to actually
get the video. This has the advantage that if you want to put your video
file servers on EC2 or whatever, or just multiple servers that aren't your
drupal box, it's trivial to do.

--
Alex Bligh

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux