WebApp Sec mailing list archives
RE: Controlling access to pdf/doc files
From: "Sangita Pakala" <sangita.pakala () paladion net>
Date: Sat, 28 Feb 2004 18:49:29 +0530
Hi All, Thanks a lot for all those ideas that we received on and off the list. The best way to handle this issue seems to be by storing the file in the database as a BLOB. Use data streams to display it on the browser after checking that the user is an authenticated user and the session is valid. The other solutions involved placing the file outside the web root and using file system permissions or authorization modules or generating the files on the fly. Thanks, Sangita. OWASP AppSec FAQ http://www.owasp.org/documentation/appsecfaq Paladion Networks http://www.paladion.net -----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Wednesday, February 25, 2004 2:50 AM To: Sangita Pakala; webappsec () securityfocus com Subject: Re: Controlling access to pdf/doc files Why does it need to be a file ? I would approach this by storing the data in an object and streaming it to the browser after having made an authorization check. Check the session context, call the method and read the data from the users object. Then stream it to the browser. No need to cache it in a file. Bad for performance and security. As always designing better solutions is cheaper than fixing bad ones ;-) ---- Sangita Pakala <sangita.pakala () paladion net> wrote:
Hi, Could I have the list's thoughts on an answer we are preparing for the next version of the AppSec FAQ at OWASP. Question - How can I ensure my application allows only authenticated users access to files like *.pdf or *.doc? Issue - Suppose a web site, say a bank site, displays the user's
account
statement as a .doc file. What if someone tries to access this file by typing its full URL into the address bar? How does the application
check
whether the user trying to access the file is the authenticated user
and
that the session has not expired? Solution - One solution is to have a random number for the name of the file or the folder containing it. This random number could even be related to the session token of the user. This file/folder should then be deleted as soon as the user's session has expired. Are there better methods available to address this issue? Can the web server run a server side program to verify the session token before serving the final GET request for the file? Thanks, Sangita. OWASP AppSec FAQ http://www.owasp.org/documentation/appsecfaq Paladion Networks http://www.paladion.net
Current thread:
- Re: Controlling access to pdf/doc files, (continued)
- Re: Controlling access to pdf/doc files Blasted (Feb 24)
- Re: Controlling access to pdf/doc files Suresh Prabhu (Feb 26)
- Re: Controlling access to pdf/doc files chasd (Feb 26)
- Re: Controlling access to pdf/doc files lists AT dawes DOT za DOT net (Feb 26)
- RE: Controlling access to pdf/doc files Paulus Widodo (Feb 26)
- Re: Controlling access to pdf/doc files Jed Holler (Feb 25)
- RE: Controlling access to pdf/doc files Scovetta, Michael V (Feb 25)
- RE: Controlling access to pdf/doc files GRIFFITHS ian (Feb 25)
- RE: Controlling access to pdf/doc files Alistair Meikle (Feb 26)
- Re: Controlling access to pdf/doc files Mark Curphey (Feb 26)
- RE: Controlling access to pdf/doc files Sangita Pakala (Feb 28)
- Re: Controlling access to pdf/doc files David Cameron (Feb 28)
- Re: Controlling access to pdf/doc files (db "better" than filesystem?) David Wall @ Yozons, Inc. (Feb 28)
- Re: Controlling access to pdf/doc files (db "better" than filesystem?) Ido Rosen (Feb 28)
- RE: Controlling access to pdf/doc files Sangita Pakala (Feb 28)