AWS S3 / Ruby on Rails的/ Heroku的:安全在我的应用程序漏洞 [英] AWS S3/Ruby on Rails/ heroku: Security hole in my app
问题描述
我在我的配置路由它说,一个页面,说 /安全,有需要登录(通过authlogic完成)。在我的控制器A的before_filter需要的照顾。这工作正常,页面及其资源限制访问 - 通过应用程序
I have a route in my config which says that for a page, say /secure, there is a login required (done via authlogic). A before_filter in my controller takes care of that. That works fine, the page and its resources have restricted access - through the application.
麻烦的是,我们正在使用亚马逊S3存储在这个应用程序(基于refinerycms)部署到Heroku上。我有一个水桶,它工作正常。
Trouble is, we are using Amazon S3 for storage on this app (based on refinerycms) deployed to heroku. I have a bucket and it works fine.
然而,在应用程序的安全部分插入的任何资源是通过浏览器直接访问。换句话说,在 /安全页包含如PDF文件的项目。同时通过应用程序的资源固定,这些PDF文件可从在互联网(例如URL)的任何地方:的http://s3.amazonaws.com/my_bucket/images/1234/the_file_which_should_be_secure.pdf
However, any resource inserted in the secure part of the application is directly accessible through the browser. In other words, the /secure page contains items like pdf files. While through the app the resources are secured, those pdf files are accessible from anywhere in the Internet (example URL): http://s3.amazonaws.com/my_bucket/images/1234/the_file_which_should_be_secure.pdf
我可以做S3细粒度的访问控制?我一定要创建一个新的斗?理想情况下,我想设置我的资源一个标志,这使得它在互联网无形的 - 不知道
Can I do fine-grained access control on S3? Do I have to create a new bucket? Ideally I'd like to set a flag on my resource which makes it invisible in the Internet - don't know.
任何建议表示欢迎。
P.S。 openid.org具有过期的SSL证书,所以需要创建一个新的空账,因为我无法登录
P.S. openid.org has an expired ssl cert, so needed to create a new empty account as I could not login
推荐答案
最简单的,最简单的解决方案只是名称随机,不可猜测的文件名您的S3资产,然后只公开的秘密网址谁应该具有访问权的人。
The simplest and easiest solution is just to name your S3 assets with random, unguessable filenames, and then only expose the secret URLs to the people who should have access.
这是怎么Facebook的照片和许多其他网站的工作(不存在隐私或安全超越个人文件名的朦胧)。
This is how Facebook photos and many other sites work (there is no privacy or security beyond the obscurity of the individual filenames).
这篇关于AWS S3 / Ruby on Rails的/ Heroku的:安全在我的应用程序漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
