Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Obfuscating download links
Posted by: thrill
Date: March 14, 2008 11:38AM

Hello all mighty webapp masters, I have a very specific problem (yes, only one today) that I need your advice on.

We have a web server that needs to be publicly available, this web server will host software images that need to be downloaded via http from phones, so prior to them downloading, we need to send an SMS to the phone with a link. Obviously, we do not want to make this link a static one because we don't want the entire world being able to download our stuff.

What I need is some sort of download manager that would allow me to set it up so that it sends out links (via email is sufficient) that are temporary. For example:

Link emailed:
hxxp://download.mysite.com/download.php?23478aslek4729asldkjterw734478

Would point internally to:
hxxp://download.mysite.com/some/private/directory/file.jar

Any suggestions?

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Obfuscating download links
Posted by: tx
Date: March 14, 2008 01:28PM

Off the top of my head I don't know of a pre-existing package that will do what your looking for (although it's entirely possible that one exists). But in terms of implementing this from the ground up, I think it's rather simple if you integrate with memcached. As a brief description,
1) Create an array containing the actual path to the downloadable file and any authentication data that you may want(username and hashed password or perhaps tie it to IP if possible)
2) Generate a hash of that (serialized) array and use that both as your 'download key' (to be sent to users) and as the memcache key.
3) Store the array in memcache using the generated key and giving it the desired expiration time.
4) Email out a the link (hxxp://download.mysite.com/download.php?23478aslek4729asldkjterw734478 )

When the user gets the email the script looks up the key in memcache, if the key still exists it performs any necessary authentication, verifies the safety of the file to be downloaded via whitelist (no /etc/passwd :) and delivers the file to the user (using header() with Content-Disposition and readfile() )

If using username/password authentication, it would probably have to be a two step process, but it wouldn't really be that different.
Also, I suppose that the download key and the actual memcache key don't have to be the same so long as there is an algorithm/db table to translate between the two.

EDIT: This is part of an old wrapper class I wrote that extends the PECL MemCache class
<?php
// tx  
// Class for wrapping/extending memcached.
//  define('MC_SERVER','localhost');
//  define('MC_PORT',11211);
if(class_exists('memcache')){
  class my_memcache extends MemCache{
    var $connected = false;
    
    function make_key($string){
      return md5($string);  
    }
    
    function key_exists($key){
     return ($this->get($this->make_key($key))!==false);
    }
    
    function my_memcache(){
      $this->connected = $this->connect(MC_SERVER,MC_PORT);
      return $this->connected;
    }  
  }
}else{
  class my_memcache{
    var $connected = false;
  }
}
?>

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 03/14/2008 01:57PM by tx.

Options: ReplyQuote
Re: Obfuscating download links
Posted by: thrill
Date: March 14, 2008 02:20PM

Wow.. that is a very nice and quick solution. I think our awesome coders should be able to put this together with what you've written.. thanks tx!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Obfuscating download links
Date: March 14, 2008 06:14PM

My approach would be a bit more obscure, but then again I don't write hardcore PHP code, and it would probably be less practical for high volume traffic. In my most basic idea I would generate some type of a one time use hash based off of miscellaneous environmental properties (such as the User-Agent and the I.P.), would write it to a file, and then check to see if it's valid once requested. If so it's then deleted from the file, the user downloads the application, and the hash no longer works. Again this is probably highly impractical for anything but small scale operations by people who don't care too much for server-side languages.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Obfuscating download links
Posted by: tx
Date: March 14, 2008 06:39PM

@thrill: np :)

@Awesome AnDrEw: That's actually the same basic principle except that memcached stores the data in memory so it's quicker than writing to file and it also intrinsically supports expiration times on that data so you don't have to worry about writing any routines to handle that.

-tx @ lowtech-labs.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.