[mod_python] differentiate from where comes the request to a file

Rui Miguel Justino rmcjustino at gmail.com
Fri Jun 9 11:06:17 EDT 2006


Hello,
Thanks for the quick replies.I have been on this subject for the last couple
of days, and did not find a good answer to this. My project will be in top
of a python platform so is good to hear the opinion of people who also
understand the basics(apache).

I'm looking for some type of solution that is secure and easy to implement
and don't bring a bigger cost to the rest of the application. I will look
with more attention to the directions you both have pointed out, I will
definitively have to use authentication and then i can probably control the
access to files with Referer Header. I will study the viability of it.



On 6/9/06, Deron Meranda <deron.meranda at gmail.com> wrote:
>
> On 6/9/06, Rui Miguel Justino <rmcjustino at gmail.com> wrote:
> > Is it possible to differentiate between a request to a file of type
> > (pdf,png, etc) made by a psp page and a direct request made by a user
> who is
> > trying to access directly to this files?
> >
> > Sorry  if it is confuse. The purpose here is to only give access to
> files
> > for users who have authenticate to the application, but Even those users
> > will only have access to files that show up in the application(webpage).
> And
> > if those users are trying to guess file names they ill not have access
> to
> > the files.
>
> As Nicolas said, usually the Referer header is used as a simple check.
> That can even be done using just Apache directives with no mod_python
> work if you want.
>
> However, if you're willing to put in more work and you don't want
> to actually use authentication, you can make use of dynamically
> generated hard-to-guess URLs for your images.
>
> Essentially when you output the HTML page which contains the
> <img> link (or other linking element) you generate URLs with
> lots of random characters.  Then either record those URLs in
> a database of sorts, or perhaps encrypt or sign them (the standard
> Python 'hmac' module may be useful).  And finally have a mod_python
> handler accept all those URLs and serve the file contents only if
> the URL verification works.  Eventually you remove the valid
> URLs from your database (or they expire if you recorded a
> date in them before HMAC signing).
>
> There's lots of details I left out, but it should give you the idea.
> --
> Deron Meranda
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060609/19e28ab9/attachment.html


More information about the Mod_python mailing list