Databases
StackOverflow2013
Postsdbo
POHow secure is str(BlobKey)?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow secure is str(BlobKey)?
    text
    copied!<p>I have implemented a generic blob serving handler as mentioned in the <a href="https://developers.google.com/appengine/docs/python/blobstore/#Serving_a_Blob" rel="nofollow">appengine docs</a>. The handler will serve any blob to you, as long as you know that blob's key string. I am using it to easily compose URLs that clients can use to download their files. If client A inspects the URL to download their file and finds their blob key (i.e. <code>1CX2kh468IDYKGcDUiq5c69u8BRXBtKBYcIaJkmSbSa4QY096gGVaYCZJjGZUpDz == str(BlobKey)</code>), can they somehow reverse-engineer this key and easily construct another key that can be used to download client B's files? Or does the key have a random component added?</p> <p>For reference, there is <a href="https://developers.google.com/appengine/docs/python/datastore/keyclass#Key" rel="nofollow">this note</a> about <code>str(db.Key)</code>, which is what raises my question:</p> <blockquote> <p>Note: The string representation of a key looks cryptic, but is not encrypted! It can be converted back to the raw key data, both kind and identifier. If you don't want to expose this data to your users (and allow them to easily guess other entities' keys), then encrypt these strings or use something else.</p> </blockquote> <p>I am creating the files like this, which does not specify a <code>filename</code> parameter, so I think the question boils down to, how does <code>create()</code> "pick" a <code>filename</code> when one is not specified? I suppose I could generate a random filename and pass it in here to be doubly sure this is secure.</p> <pre><code>file_name = files.blobstore.create(mime_type='application/octet-stream') </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload