I'd like to secure one of my appengine handlers to only respond only if the request is originating within the local app.
I had a look at handler.request.environ and this is what I found (I modified the application_id):
{
'USER_ORGANIZATION': '',
'TZ': 'UTC',
'APPLICATION_ID': 'dev~myappid',
'USER_NICKNAME': '',
'REMOTE_ADDR': '127.0.0.1',
'DEFAULT_VERSION_HOSTNAME': 'localhost:8080',
'CURRENT_MODULE_ID': 'default',
'wsgi.multithread': True,
'REQUEST_METHOD': 'GET',
'DATACENTER': 'us1',
'wsgi.run_once': False,
'REQUEST_ID_HASH': '364BD75E',
'QUERY_STRING': '',
'USER_IS_ADMIN': '0',
'SERVER_SOFTWARE': 'Development/2.0',
'REQUEST_LOG_ID': '21f8fe9ca3baeebdacc5dd74febb7aec00a6d6bedbc8dc01415c58393ee7a2cedd155b81e75db18961c98b8ee8cb5dd42',
'PATH_TRANSLATED': '/Users/hamish/dev/kp3/src/kp3/main.pyc',
'SERVER_NAME': 'localhost',
'SERVER_PROTOCOL': 'HTTP/1.1',
'AUTH_DOMAIN': 'gmail.com',
'SCRIPT_NAME': '',
'HTTP_USER_AGENT': 'Python-urllib/2.7 AppEngine-Google; (+http://code.google.com/appengine)',
'PATH_INFO': '/spike/two/',
'wsgi.multiprocess': True,
'HTTP_HOST': 'localhost:8080',
'HTTPS': 'off',
'INSTANCE_ID': 'fd45d3ed33f7f9abb3bec923ede309eeb3b5',
'wsgi.version': (1, 0),
'wsgi.input': <_io.BytesIO object at 0x1055294d0>,
'SERVER_PORT': '8080',
'USER_EMAIL': '',
'APPENGINE_RUNTIME':
'python27',
'CURRENT_VERSION_ID': '1.699634115210300890',
'HTTP_X_APPENGINE_COUNTRY': 'ZZ',
'USER_ID': '',
'webob._cache_control': ('', <CacheControl ''>),
'wsgi.url_scheme': 'http'
}
Is there anything here (or else-where on the request handler) that would allow me to know for sure (ie something that an attacker could not fake) if the request is originating on the current app.
WHY Do This?
I have an app that stores images in the blob store, and then lets approved users view them. I'm not using the blobstore image hosting features, I'm instead getting request, checking that the logged in user has permission to view the picture, getting the blob and returning it. This is working fine.
I now want to generate a PDF that contains some of these images. The ay I'm currently planning to do that is to create some xhtml, including references to the images, then use xhtml2pdf to create the pdf. I'll then store that and use the same security rules to control access to the pdf as the images.
xhtml2pdf fetches the images and embeds them inside the pdf file.
If I use the same url to serve the images to xhtml2pdf as I use to serve them to general users, the authorization code kicks in blocks the access to xhtml2pdf. To get around this I've implemented a second Image Handler which has no user based security. My problem now is to secure that second handler in order to not have a security hole.
The other way that I have tried to use to resolve this is to embed the image data directly into the html using the Data URI scheme, however I'm getting an error there as well:
IOError: cannot identify image file fileName=<StringIO.StringIO
instance at 0x10503ca70>
If your not using a custom domain you can use this. The X-Appengine-Inbound-Appid can only be set internally so its safe to use as a security check.