RE: Controlling access to pdf/doc files

["Alistair Meikle" <alistair.meikle () civiccomputing com>]

It depends what you're programming in, with a java servlet you can add a
handler into the web.xml, store the files outside the document tree
(like ian said) and then just use a get request handler like this:

--

public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
        // get session here and check for a valid user

        if(validuser) {
                // check if the file exists
                if(fileexists) {
                        try { 
                        BufferedInputStream in = new
BufferedInputStream(new FileInputStream(file));
                        OutputStream out = response.getOutputStream();
 
response.setContentType(this.getServletContext().getMimeType(fileName));
 
response.setHeader("Content-Disposition","inline; filename=\"" +
fileName + "\"");

                        // stream the data by only reading in a maximum
of 2000 bytes at a time (simple reader)
                        int buffSize = 2000;
                        byte[] buff = new byte[buffSize];
                        int bytesRead;
                        while(-1 != (bytesRead = in.read(buff, 0,
buffSize)))
                        {
                        out.write(buff, 0, bytesRead);
                        }
                        // clean up
                        in.close();
                        // don't close the output stream as tomcat
usually deals with this
                        }
                        catch(IOException e) {
                                // something went wrong, deal with it
                        }
                }
                else {
                        // redirect to file not found
                }
        }
        else {
                // return no access (400 error)
        }
}

--

Random names for files is never a good idea as someone can just copy and
the give the link to another person. And you can't use
http://username:password@<uri> anymore as it won't work in the latest IE
after the latest security patch (not that it was safe anyway).

You can do the above code in ASP, Perl, PHP, anything with the ability
to open a file socket.

Al

-----Original Message-----
From: GRIFFITHS ian [mailto:ian.griffiths () liv-coll ac uk] 
Sent: 24 February 2004 22:25
To: 'Sangita Pakala '; 'webappsec () securityfocus com '
Subject: RE: Controlling access to pdf/doc files


Put the document above web root and dispense via a file stream to the
authenticated user?

Ian 

-----Original Message-----
From: Sangita Pakala
To: webappsec () securityfocus com
Sent: 24/02/2004 15:21
Subject: Controlling access to pdf/doc files

Hi,

Could I have the list's thoughts on an answer we are preparing for the
next version of the AppSec FAQ at OWASP.
 
Question - How can I ensure my application allows only authenticated
users access to files like *.pdf or *.doc?

Issue - Suppose a web site, say a bank site, displays the user's account
statement as a .doc file. What if someone tries to access this file by
typing its full URL into the address bar? How does the application check
whether the user trying to access the file is the authenticated user and
that the session has not expired? 

Solution - One solution is to have a random number for the name of the
file or the folder containing it. This random number could even be
related to the session token of the user. This file/folder should then
be deleted as soon as the user's session has expired.

Are there better methods available to address this issue? Can the web
server run a server side program to verify the session token before
serving the final GET request for the file? 


Thanks,
Sangita.

OWASP AppSec FAQ
http://www.owasp.org/documentation/appsecfaq

Paladion Networks
http://www.paladion.net