As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
PHP Avatars
apotheos
Registered User, ClubPA regular
Registered User, ClubPA regular
Is it just me,
Or is alowing the execution of scripts on an external website as an avatar a security flaw a mile wide?
Or is alowing the execution of scripts on an external website as an avatar a security flaw a mile wide?
猿も木から落ちる
apotheos on
0
Posts
So it's no more dangerous for PA than linking to a PHP page on my server.
If there was a security hole in the script then my server would be at risk, but there isn't.
Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.
I should be asked before I execute a script on your server.
Then I could say no.
I we restrict avatars to .gif and .jpg files, then most server-side processing languages will be foiled. Those who reconfigure their server to execute .gif and .jpg files will still slip through, but then we have mods yell at them.
Because that is what they are there for.
猿も木から落ちる
Why?
My thoughts exactly. The Data your computer recieves is EXACTLY the same as if it was a static image.
It is impossible for it to affect your computer in any way because it doesn't execute on your computer.
I've been trying to reach you, but your extension cord doesn't reach that far.
ohnoes!
If it makes you feel better, my sig is actually totally static, so you don't have to feel dirty and violated on my account.
Ahh a nice Unix process listing
Wait a minuite, Safari? iTunes? AppleSpell?
You're running MacOS X aren't you?
You're dead to me.
Are you sure you know how this all works?
Hooray!
猿も木から落ちる
Yes. Quite.
猿も木から落ちる
My advice to you is to not go to websites you think have questionsble content.
"If you're going to play tiddly winks, play it with man hole covers."
- John McCallum
Oh, you're worried about information collection why didn't you just say so.
Any information I could save out of a PHP avatar I can just get from my server logs if I use a static image.
The teenagers using them? Or the devices themselves?
pix plz
rename your script to .gif or whatever
in your .htaccess (assuming you are running apache)
that means it is ran as php but it looks like an image
猿も木から落ちる
I'd prefer people just learn a bit more about HTTP.
Seriously, I'd like to know what it is you are worried about.
About the only information that I can think you'd be worried about is your IP, but that is in the server logs even if you just access a normal image.
...and with a PHP script you have access to the entire request object and can manipulate the entire response object.
Now, I'm not a PHP code monkey, but I know that with that ability, combined with bugs in specific browsers, and a 301 Content Moved, you could probably whip up some cookie-stealing. I've got some thoughts about how that could be done in not-PHP.
No?
猿も木から落ちる
I do not understand, Sam I Am.
Through the logs I have access to the entire request
Through the server configuration I can manipulate the entire responce on a static image.
As for cookie stealing I doubt it. Cookies are only sent to the specific server. So they don't get sent to my scripts at all.
Additionally most browsers block 3rd party cookies by default, so scripts like that on a differnt server can't set or recieve cookies anyway.
This is actually a different thing
OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer
how hard is it to learn php from say... nothing.
It's quite easy if you have a basic concept of other computer languages. If, by 'nothing', you mean 'absolutely nothing', then it may be a bit harder.
i actually heard my brain shriek in pain while reading that
now it's trying to gnaw its way out of my skull, thanks jackass.
I sent you more on AIM in an attempt to have your brain gnaw faster to make the pain go by quicker, but you weren't around.
I R TEH SAD NOW.
Yeah. If you understand programming in other languages, then 1 day tops to get the hang of basic PHP, everything above that is just practice.
If you're not familiar with anything then it will take a bit longer, but the manual at www.php.net should still be sufficient.
Senor, have you seen this trick
http://www.orthanc.co.nz/showimg.php?image=6&/munkus_av.gif
Uh, what's the trick?
Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).
Are you sure? In a past life I did ASP development, which involved passing filenames in querystrings, and I don't believe that affected the mime type that IE was thinking the content was.
Once it hits the question mark it saves the rest as form/querystring variables. Unless you've played with this specifically. I'm not trying to profess expetise.
Anyway...
My experements in this random images resulted in this:
http://www.uleth.ca/it/random.jpg
A didn't embed that as I want you to see a specific (undesirable) phenomenon: browser caching seems to entirely destroy the concept. If you shift-reload, you'll get random images. If you just reload, you don't. You seem to have experience in this matter, so I'm wondering if you can advise.
猿も木から落ちる
Doesn't affect the mime type, but it does affect the way IE handles the file. For example (this is one I hit at work) if you are outputting a CSV, setting the mime type to the csv one (I can't remember it off the top of my head, but it does exist) IE won't handle it properly. But if you make the entire url end in .cvs as I did above with gif, IE will open it with the CSV helper application (Usually Excell).
All this is just a result of Microsofts efforts to combine local file system browsing (file extentions) with web browsing (mime types).
As for your problem, you need to put in some cache controll headers to stop it being cached. I presume the random.jpg is actually a script of some sort, in which case it will have a method for setting HTTP headers. It can be done in the server configuration as well but I;ve never looked into how.
here is the PHP code for fixing it, you'll have to convert it to whatever language you're using
// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
// always modified
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
// HTTP/1.1
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
// HTTP/1.0
header("Pragma: no-cache");
As this is a small and stupid side project to my "real work", I haven't spent much time on it. However this problem only seems to creep in to graphics files. I thought there was something particular to that MIME type perhaps. I know, I'm trying to snatch straws.
There is a complicated series of proxy rewrites involved in serving this document too, so it makes conquoring this mess all that much more difficult when my default assumptions get contradicted. I am starting to suspect one of them is eating my headers. Now to find out which one.
猿も木から落ちる
The other thing to check is that the headers are actually being sent. There are programs that will show you what headers are actually being sent / recieved. though I'm having trouble finding one to link.