Mailing List Archive: ModPerl: ModPerl

protecting internal redirects

Index | Next | Previous | View Threaded

pc88mxer at gmail

Mar 18, 2010, 1:59 PM

Post #1 of 7 (982 views)
Permalink

protecting internal redirects

Hi all,

This is not exactly a mod_perl question - in fact I hope there is a
solution which does not use mod_perl.

I have a CGI script which generates a lot of output. Because it takes
a lot of time to the output, the results are cached in case the same
request is made again.

To serve the file the CGI script issues an internal redirect to a url
which points to the cached results.

My question is: can the url which points to the cached results be
protected so that it cannot be directly accessed by external clients?

For example:

1. user makes a request
2. CGI script handles request. It computes a file name for the
results, generates the results and places the result in that file.
3. The CGI script then emits an internal redirect to a url which will
map to the file name determined in step 2.
4. Apache will process the internal redirect and serve the contents of
the file to the client.

I want to prevent the clients from accessing the file directly by
figuring out what the url is in step 3.
I know that clients will not see the internal redirect, but I also
want to prevent them from guessing it.

Is there an Apache configuration I can use to accomplish this, or do I
need to use mod_perl?

Thanks,
ER

mpeters at plusthree

Mar 18, 2010, 2:09 PM

Post #2 of 7 (927 views)
Permalink

Re: protecting internal redirects [In reply to]

On 03/18/2010 04:59 PM, E R wrote:

> My question is: can the url which points to the cached results be
> protected so that it cannot be directly accessed by external clients?

You should be able to do something like this for that <Location> block
(so you might have to put that URL inside of a separate <Location>
block) assuming the IP of your machine is 1.2.3.4

Order Deny,Allow
Deny from all
Allow from 1.2.3.4

--
Michael Peters
Plus Three, LP

mcapone at cablewholesale

Mar 18, 2010, 3:05 PM

Post #3 of 7 (925 views)
Permalink

Re: protecting internal redirects [In reply to]

Rather than doing the URL redirect, why not just keep the cached results
in a private directory, and let the CGI open them and serve them up
directly? This would be the most secure way.

So, you could do something like this:

################################################################################
print "Content-type: text/html\n\n"; # or whatever the appropriate
content-type is

$cached_file_name = FigureOutRequest(); # find out if the result is
already cached in a file

if ($cached_file_name != "")
{
open CACHEFILE, "/path/to/$cached_file_name";
print STDOUT <CACHEFILE>; # send output to browser
close CACHEFILE;
}
else
{
$generated_result = DoAllTheWork();
$new_cache_file = "appropriate_name.txt"; # save the generated
result into the cache...
open CACHEOUT, "> /path/to/$new_cache_file";
print CACHEOUT $generated_result;
close CACHEOUT;

print STDOUT $generated_result; # ... and then send it
back to the browser.
}

Would that get the job done?

E R wrote:
> Hi all,
>
> This is not exactly a mod_perl question - in fact I hope there is a
> solution which does not use mod_perl.
>
> I have a CGI script which generates a lot of output. Because it takes
> a lot of time to the output, the results are cached in case the same
> request is made again.
>
> To serve the file the CGI script issues an internal redirect to a url
> which points to the cached results.
>
> My question is: can the url which points to the cached results be
> protected so that it cannot be directly accessed by external clients?
>
> For example:
>
> 1. user makes a request
> 2. CGI script handles request. It computes a file name for the
> results, generates the results and places the result in that file.
> 3. The CGI script then emits an internal redirect to a url which will
> map to the file name determined in step 2.
> 4. Apache will process the internal redirect and serve the contents of
> the file to the client.
>
> I want to prevent the clients from accessing the file directly by
> figuring out what the url is in step 3.
> I know that clients will not see the internal redirect, but I also
> want to prevent them from guessing it.
>
> Is there an Apache configuration I can use to accomplish this, or do I
> need to use mod_perl?
>
> Thanks,
> ER
>
>

michael00peters at gmail

Mar 18, 2010, 3:16 PM

Post #4 of 7 (943 views)
Permalink

Re: protecting internal redirects [In reply to]

On 03/18/2010 06:05 PM, Michael A. Capone wrote:
> This would be the most secure way.

Saying it's the *most* secure way is a little stretch. It's *another*
secure way. Also, keeping a large Perl/CGI process alive just to serve a
static file is a waste. In fact, if you can think of a mod_rewrite rule
to automatically look for the cached file first and send that before
even getting to the CGI script would be your best bet for performance.

--
Michael Peters

mcapone at cablewholesale

Mar 18, 2010, 3:37 PM

Post #5 of 7 (938 views)
Permalink

Re: protecting internal redirects [In reply to]

Both very good points! I stand corrected.

Michael Peters wrote:
> On 03/18/2010 06:05 PM, Michael A. Capone wrote:
>> This would be the most secure way.
>
> Saying it's the *most* secure way is a little stretch. It's *another*
> secure way. Also, keeping a large Perl/CGI process alive just to serve
> a static file is a waste. In fact, if you can think of a mod_rewrite
> rule to automatically look for the cached file first and send that
> before even getting to the CGI script would be your best bet for
> performance.
>

torsten.foertsch at gmx

Mar 19, 2010, 2:09 AM

Post #6 of 7 (921 views)
Permalink

Re: protecting internal redirects [In reply to]

On Thursday 18 March 2010 21:59:26 E R wrote:
> To serve the file the CGI script issues an internal redirect to a url
> which points to the cached results.
>
> My question is: can the url which points to the cached results be
> protected so that it cannot be directly accessed by external clients?
>
When it creates the new redirected request (can I say "redirectee"?) apache
copies the environment variables of the original request to the new one. All
variable names are prefixed with "REDIRECT_". mod_rewrite should be able to
check the presence of one of them.

Torsten F�rtsch

--
Need professional modperl support? Hire me! (http://foertsch.name)

Like fantasy? http://kabatinte.net

pc88mxer at gmail

Mar 19, 2010, 1:27 PM

Post #7 of 7 (917 views)
Permalink

Re: protecting internal redirects [In reply to]

Thanks for all of the suggestions. Looking for REDIRECT_* environment
variables seems like it will work for me.

2010/3/19 Torsten F�rtsch <torsten.foertsch [at] gmx>:
> On Thursday 18 March 2010 21:59:26 E R wrote:
>> To serve the file the CGI script issues an internal redirect to a url
>> which points to the cached results.
>>
>> My question is: can the url which points to the cached results be
>> protected so that it cannot be directly accessed by external clients?
>>
> When it creates the new redirected request (can I say "redirectee"?) apache
> copies the environment variables of the original request to the new one. All
> variable names are prefixed with "REDIRECT_". mod_rewrite should be able to
> check the presence of one of them.
>
> Torsten F�rtsch
>
> --
> Need professional modperl support? Hire me! (http://foertsch.name)
>
> Like fantasy? http://kabatinte.net
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads