堆栈内存溢出
  简体   繁体   English

如何隐藏来自 shell 脚本的 email 中发送的 URL 中的查询参数

[英]How to hide query parameters from URL sent in email from shell script

 原文  2021-02-19 06:15:28       linux/ email/ url

问题描述

I'm writing a shell script that will send email which has a link for application.我正在编写一个 shell 脚本,它将发送 email ,其中有一个应用程序链接。 When the user click link on the email, it will open the application.当用户点击 email 上的链接时,它将打开应用程序。 How to hide query parameters in the URL that was sent from shell script?如何隐藏从 shell 脚本发送的 URL 中的查询参数?

1 个解决方案

解决方案1
 0  2021-02-19 07:35:11

It doesn't make sense to hide URL / query string in any way;以任何方式隐藏 URL / 查询字符串是没有意义的; since if the user can open the URL, then the user must be able to read the URL.因为如果用户可以打开 URL,那么用户必须能够读取 URL。 When you show that you have something to hide, curious users WILL try to find what and why are you hiding things.当你表明你有东西要隐藏时,好奇的用户会试图找出你隐藏了什么以及为什么要隐藏这些东西。

sensitive information (confidential)敏感信息(机密)

If what you're doing is sending something sensitive (ex: password), then just don't send it via email.如果您正在发送敏感信息(例如:密码),请不要通过 email 发送。 Instead send some one-time-use token that expire after a day (assuming your email recipient will always read your email in a day).而是发送一些在一天后过期的一次性使用令牌(假设您的 email 收件人将始终在一天内读取您的 email)。 Format of such token can be JWT (see https://jwt.io for reference).此类令牌的格式可以是 JWT(参见https://jwt.io以供参考)。 For example:例如:

instead of: click here to login: https://yourapp.com/login?username=user&pass=user123而不是: click here to login: https://yourapp.com/login?username=user&pass=user123

use these: click here to login: https://yourapp.com/login?username=user&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTY0MzkwMjJ9.WkfqJZ3t0basNIqnRJD8R720BXmULhEONNlpHVxgoqA use these: click here to login: https://yourapp.com/login?username=user&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTY0MzkwMjJ9.WkfqJZ3t0basNIqnRJD8R720BXmULhEONNlpHVxgoqA

Make sure you signed the JWT with a private key that only you know.确保您使用只有您知道的私钥签署了 JWT。

This way you're not exposing user's password just to prove that you're that user.这样,您就不会仅仅为了证明您是该用户而公开用户的密码。 The JWT in my example only contains claim that bearer of this token is named "user", and the token only valid from "iat" to "exp" field.我的示例中的 JWT 仅包含声明此令牌的持有者名为“用户”,并且该令牌仅在“iat”到“exp”字段中有效。 (try copy-pasting the JWT above to jwt.io or decode it yourself). (尝试将上面的 JWT 复制粘贴到 jwt.io 或自己解码)。

If you're using this approach, you must also tell the users not to share their URL since other may impersonate them if they do.如果您使用这种方法,您还必须告诉用户不要分享他们的 URL,因为如果他们这样做,其他人可能会冒充他们。

identity身份

If what you're doing is sending something to prove who the user is, and it would be bad to be seen by other people because if they see it they can impersonate the recepient user, then you can send some hashed salt of the user's username or id.如果您正在做的是发送一些东西来证明用户是谁,而被其他人看到会很糟糕,因为如果他们看到它,他们可以冒充接收用户,那么您可以发送一些用户用户名的哈希盐或身份证。 For example:例如:

instead of: click here to login: https://yourapp.com/login?username=user而不是: click here to login: https://yourapp.com/login?username=user

use these: click here to login: https://yourapp.com/login?username=3f480e2ceaf459b732f07b1b60a7ea16d1cd3244ef390ade01f401ad7b170445e08fb0b3583bb66210efc0fbe747c730f36f962de3cac07e6a165a80cb84def6 use these: click here to login: https://yourapp.com/login?username=3f480e2ceaf459b732f07b1b60a7ea16d1cd3244ef390ade01f401ad7b170445e08fb0b3583bb66210efc0fbe747c730f36f962de3cac07e6a165a80cb84def6

The hash in my example is sha512 digest of user some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123在我的示例中,hash 是user some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123 some long long salt here 123

When your application read those hash, it can do a query to it's database like SELECT... WHERE $urlparam = SHA512( CONCAT( username, '$salt' ) )当您的应用程序读取这些 hash 时,它可以对其数据库进行查询,例如SELECT... WHERE $urlparam = SHA512( CONCAT( username, '$salt' ) )

Same with above approach, you must also tell the users not to share their URL since other may impersonate them if they do.与上述方法相同,您还必须告诉用户不要分享他们的 URL,因为如果他们这样做,其他人可能会冒充他们。

long / large data长/大数据

If what you're doing is sending very long/large data, and/or you do not want the user to change that data (ex: shopping cart data).如果您正在发送非常长/大的数据,和/或您不希望用户更改该数据(例如:购物车数据)。 Then you have to save it into database instead, and only send primary key / id of the record in URL.然后你必须将它保存到数据库中,并且只发送 URL 中记录的主键/ID。 For example:例如:

instead of: click here to checkout: https://yourapp.com/checkout?username=user&cart1=myproduct1&cart1qty=20&cart2=myproduct2&cart2qty=50&cart3=myproduct3&cart3qty=99&cart4=myproduct4&cart4qty=1...(still continue)而不是: click here to checkout: https://yourapp.com/checkout?username=user&cart1=myproduct1&cart1qty=20&cart2=myproduct2&cart2qty=50&cart3=myproduct3&cart3qty=99&cart4=myproduct4&cart4qty=1...(still continue)

use these: click here to checkout: https://yourapp.com/checkout?cartid=1372384使用这些: click here to checkout: https://yourapp.com/checkout?cartid=1372384

This way, even if the user knows that his/her cartid is 1372384, it doesn't means anything for him/her.这样,即使用户知道他/她的cartid 是1372384,对他/她来说也没有任何意义。 Of course this approach should be combined with some means of authenticating the user (otherwise some malicious user can see other's cart by entering random number or by guessing it)当然,这种方法应该与一些验证用户的方法相结合(否则一些恶意用户可以通过输入随机数或通过猜测来看到其他人的购物车)

lazy answer懒惰的回答

If you just want to hide the URL no matter why, just use some strong encryption algorithm like AES256 to encrypt all query parameter, and then encode it as base64 (or url safe base64).如果你只是想隐藏 URL 无论如何,只需使用 AES256 等强加密算法加密所有查询参数,然后将其编码为 base64 (或 Z572D4E421E5E6B9BC11D816E) In this case, your application (that read/handle the URL) and your script that generates the URL will have to share a same encryption key.在这种情况下,您的应用程序(读取/处理 URL)和生成 URL 的脚本将必须共享相同的加密密钥。

You will probably end up with something like: click here to do something: https://yourapp.com/handle?ciphertext=ZTZKU1RFUmZqNTZrSWszeWYwaEtiM0RWVzRRNWlFcE1lalpCbWFBM3Z5TEY1R0xYdGprVDRsSmk5Nzc4Y3dXamJ4RUpLYmRxZ2RXS0lLM01oMUc1U0t2dUFlWktldERoVHdzcjl6SS9CMmZuRmtoQnBMVmtEeFFhaXhIUHZwVFM2MlQ0SURRZEpMNzZ0bUptN2p3M0VuT0tMME15RW8xcG5ZSW5hcnpFUm1qSlBWWEhEYVNMcU42VFd5WFdDWmFsQXJaWDNpT0xrMWhpNFN2aXI3RjE4dz09 You will probably end up with something like: click here to do something: https://yourapp.com/handle?ciphertext=ZTZKU1RFUmZqNTZrSWszeWYwaEtiM0RWVzRRNWlFcE1lalpCbWFBM3Z5TEY1R0xYdGprVDRsSmk5Nzc4Y3dXamJ4RUpLYmRxZ2RXS0lLM01oMUc1U0t2dUFlWktldERoVHdzcjl6SS9CMmZuRmtoQnBMVmtEeFFhaXhIUHZwVFM2MlQ0SURRZEpMNzZ0bUptN2p3M0VuT0tMME15RW8xcG5ZSW5hcnpFUm1qSlBWWEhEYVNMcU42VFd5WFdDWmFsQXJaWDNpT0xrMWhpNFN2aXI3RjE4dz09

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将参数从 azure 管道传递到 shell 脚本? - How to pass parameters from azure pipeline to shell script? 传递输入参数后如何从Python执行Shell脚本 - How to execute shell script from Python after passing input parameters Shell 发送 email 的脚本在 Informatica 中不起作用 - Shell script to send email is not working from Informatica 发送电子邮件后 Jenkins 运行 Shell 脚本 - Jenkins Run Shell Script after Email Sent 从Shell脚本向Python程序插入参数 - Insert parameters to python program from shell script 将参数从Shell脚本传递到Java类 - Passing parameters from shell script to java class 如何执行URL并从bash shell脚本中解析它? - How to execute a url and parse it from bash shell script? 从 Web URL 导入 shell/bash 脚本 - Pipe into a shell/bash script from Web URL 将日期从shell脚本传递到查询 - Pass date from shell script to query 如何从jenkins shell输出中隐藏密码 - How to hide password from jenkins shell output
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM