Mark Graves
May 10, 2014, 1:20:03 PM5/10/14
to web...@googlegroups.com
Hey everyone,
So I have a bunch of static files, managed by the database, which are not proprietary. They will be public content on the web site. I put them in the static folder so they can be served by Apache instead of streamed by web2py.
As I developed, I put a link in to download these files, or render the images to the user. These links use the web2py obfuscated file name, as the files were put in these folders through the upload mechanism.
My question is:
Is there an inherent security risk in doing this?
The files include the table names obviously, and the obfuscated name.
Could these files be used to attack that table somehow? (obviously if my controllers are not secure, that's a problem, but more from just exposing these obfuscated names to the public)
Thanks in advance!
Anthony
May 10, 2014, 2:07:56 PM5/10/14
to web...@googlegroups.com
Note, even when serving files from the /uploads folder via response.download(), the links still include the web2py obfuscated filename -- so no difference when serving from /static.
The transformed filenames include the table and field name as well as (1) a 16 character fragment from a UUID and (2) the original filename transformed to Base16 encoding. These elements are used to prevent directory traversal attacks via uploads as well as random guessing to find files to download. Exposing the names of actual files that you are making available to the public should not pose any problems.
Anthony
The transformed filenames include the table and field name as well as (1) a 16 character fragment from a UUID and (2) the original filename transformed to Base16 encoding. These elements are used to prevent directory traversal attacks via uploads as well as random guessing to find files to download. Exposing the names of actual files that you are making available to the public should not pose any problems.
Anthony
Mark Graves
May 10, 2014, 2:16:33 PM5/10/14
to web...@googlegroups.com
Thanks Anthony,
I really appreciate the sanity check.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/svUn-EBei6k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages