Software /
code /
prosody-modules
Comparison
mod_http_upload_external/README.markdown @ 3358:e49660ba3161
mod_http_upload_external: Improve implementation docs, including v2 details
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Sun, 21 Oct 2018 14:54:19 +0100 |
parent | 3189:57332ea0c1c7 |
child | 3359:3d01ab6b1186 |
comparison
equal
deleted
inserted
replaced
3357:af824168729a | 3358:e49660ba3161 |
---|---|
95 GET https://example.com/upload/foo/bar.jpg | 95 GET https://example.com/upload/foo/bar.jpg |
96 ``` | 96 ``` |
97 | 97 |
98 The only tricky logic is in validation of the PUT request. Firstly, don't overwrite existing files (return 409 Conflict). | 98 The only tricky logic is in validation of the PUT request. Firstly, don't overwrite existing files (return 409 Conflict). |
99 | 99 |
100 Then you need to validate the auth token. This will be in the URL query parameter 'v'. If it is absent, fail with 403 Forbidden. | 100 Then you need to validate the auth token. |
101 | |
102 ### Validating the auth token | |
103 | |
104 | |
105 | Version | Supports | | |
106 |:--------|:--------------------------------------------------------------------------------------------------------| | |
107 | v | Validates only filename and size. Does not support file type restrictions by the XMPP server. | | |
108 | v2 | Validates the filename, size and MIME type. This allows the server to implement MIME type restrictions. | | |
109 | |
110 It is probable that a future v3 will be specified that allows carrying information about the uploader identity, allowing | |
111 the implementation of per-user quotas and limits. | |
112 | |
113 Implementations may implement one or more versions of the protocol simultaneously. The XMPP server generates the URLs and ultimately selects which version will be used. | |
114 | |
115 #### Version 1 (v) | |
116 | |
117 The token will be in the URL query parameter 'v'. If it is absent, fail with 403 Forbidden. | |
101 | 118 |
102 Calculate the expected auth token by reading the value of the Content-Length header of the PUT request. E.g. for a 1MB file | 119 Calculate the expected auth token by reading the value of the Content-Length header of the PUT request. E.g. for a 1MB file |
103 will have a Content-Length of '1048576'. Append this to the uploaded file name, separated by a space (0x20) character. | 120 will have a Content-Length of '1048576'. Append this to the uploaded file name, separated by a space (0x20) character. |
104 | 121 |
105 For the above example, you would end up with the following string: "foo/bar.jpg 1048576" | 122 For the above example, you would end up with the following string: "foo/bar.jpg 1048576" |
110 calculated_auth_token = hmac_sha256("foo/bar.jpg 1048576", "secret string") | 127 calculated_auth_token = hmac_sha256("foo/bar.jpg 1048576", "secret string") |
111 ``` | 128 ``` |
112 | 129 |
113 If this is not equal to the 'v' parameter provided in the upload URL, reject the upload with 403 Forbidden. | 130 If this is not equal to the 'v' parameter provided in the upload URL, reject the upload with 403 Forbidden. |
114 | 131 |
115 Note: your language/environment may provide a function for doing a constant-time comparison of these, to guard against | 132 **Security note:** When comparing `calculated_auth_token` with the token provided in the URL, you must use a constant-time string |
116 timing attacks that may be used to discover the secret key. | 133 comparison, otherwise an attacker may be able to discover your secret key. Most languages/environments provide such a function, such |
134 as `hash_equals()` in PHP, `hmac.compare_digest()` in Python, or `ConstantTimeCompare()` from `crypto/subtle` in Go. | |
135 | |
136 #### Version 2 (v2) | |
137 | |
138 The token will be in the URL query parameter 'v2'. If it is absent, fail with 403 Forbidden. | |
139 | |
140 | Input | Example |Read from | | |
141 |:--------------|:------------|:--------------------------------------------------------------------| | |
142 |`file_path` | foo/bar.jpg | The URL of the PUT request, with the service's base prefix removed. | | |
143 |`content_size` | 1048576 | Content-Size header | | |
144 |`content_type` | image/jpeg | Content-Type header | | |
145 | |
146 The parameters should be joined into a single string, separated by NUL bytes (`\0`): | |
147 | |
148 ``` | |
149 signed_string = ( file_path + '\0' + content_size + '\0' + content_type ) | |
150 ``` | |
151 | |
152 ``` | |
153 signed_string = "foo/bar.jpg\01048576\0image/jpeg" | |
154 ``` | |
155 | |
156 The expected auth token is the SHA256 HMAC of this string, using the configured secret key as the key. E.g.: | |
157 | |
158 ``` | |
159 calculated_auth_token = hmac_sha256(signed_string, "secret string") | |
160 ``` | |
161 | |
162 If this is not equal to the 'v2' parameter provided in the upload URL, reject the upload with 403 Forbidden. | |
163 | |
164 **Security note:** When comparing `calculated_auth_token` with the token provided in the URL, you must use a constant-time string | |
165 comparison, otherwise an attacker may be able to discover your secret key. Most languages/environments provide such a function, such | |
166 as `hash_equals()` in PHP, `hmac.compare_digest()` in Python, or `ConstantTimeCompare()` from `crypto/subtle` in Go. | |
167 | |
168 ### Security considerations | |
169 | |
170 #### HTTPS | |
171 | |
172 All uploads and downloads should only be over HTTPS. The security of the served content is protected only | |
173 by the uniqueness present in the URLs themselves, and not using HTTPS may leak the URLs and contents to third-parties. | |
174 | |
175 Implementations should consider including HSTS and HPKP headers, with consent of the administrator. | |
176 | |
177 #### MIME types | |
178 | |
179 If the upload Content-Type header matches any of the following MIME types, it MUST be preserved and included in the Content-Type | |
180 of any GET requests made to download the file: | |
181 | |
182 - `image/*` | |
183 - `video/*` | |
184 - `audio/*` | |
185 - `text/plain` | |
186 | |
187 It is recommended that other MIME types are preserved, but served with the addition of the following header: | |
188 | |
189 ``` | |
190 Content-Disposition: attachment | |
191 ``` | |
192 | |
193 This prevents the browser interpreting scripts and other resources that may potentially be malicious. | |
194 | |
195 Some browsers may also benefit from explicitly telling them not to try guessing the type of a file: | |
196 | |
197 ``` | |
198 X-Content-Type-Options "nosniff" | |
199 ``` | |
200 | |
201 #### Security headers | |
202 | |
203 The following headers should be included to provide additional sandboxing of resources, considering the uploaded | |
204 content is not understood or trusted by the upload service: | |
205 | |
206 ``` | |
207 Content-Security-Policy: "default-src 'none'" | |
208 X-Content-Security-Policy: "default-src 'none'" | |
209 X-WebKit-CSP: "default-src 'none'" | |
210 ``` |