Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
JellyFish
DevNet Resident
Posts: 1361 Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA
Post
by JellyFish » Mon Jul 02, 2007 4:36 pm
So basically, I don't want people passing a path to my script that would have my script return any information I don't want them to get.
So how would I fix this? You say to use the basename function?
I could just make sure that the file path that is passed to my script be one with the MIME type of "video/x-flv". But I don't know how to do this.
Another method would be to check if the basename's suffix is that of ".flv".
Which would you suggest?
Ambush Commander
DevNet Master
Posts: 3698 Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US
Post
by Ambush Commander » Mon Jul 02, 2007 6:02 pm
I would do several checks:
1. basename() to make sure that the directory path is in the proper place
2. File extension check to make sure the requested file is valid
3. file_exists() check to make sure the file being requested exists
JellyFish
DevNet Resident
Posts: 1361 Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA
Post
by JellyFish » Mon Jul 02, 2007 8:09 pm
How would I check the file extension?
JellyFish
DevNet Resident
Posts: 1361 Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA
Post
by JellyFish » Tue Jul 03, 2007 10:59 pm
Code: Select all
header("Content-type: video/x-flv");
$path_parts = pathinfo($_GET['filename']);
if ($path_parts['extension'] == "flv")
{
$stream = fopen("/home/content/t/r/a/tradingtresure/html/".$_GET['filename'], "rb");
}
else
{
$stream = fopen("/home/content/t/r/a/tradingtresure/html/manager/chart-room/videos/error.flv", "rb");
}
fpassthru($stream);
Is this good?
I don't want to check for the directory because my directories variable that I use.
Is what I have secure?
Other then that I'm having a problem with this method (using a video.php file instead of an .flv file) and that is, it acts funny, for example when the position of the video meets the loaded duration, the movie starts over. Is this because I'm using fpassthru rather then some other function(s)?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Jul 04, 2007 5:51 am
Not even remotely.
Check realpath() against the folder root of your storage directory. Make sure the file they are requesting exists, too.
JellyFish
DevNet Resident
Posts: 1361 Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA
Post
by JellyFish » Wed Jul 04, 2007 2:19 pm
What kind of file is this called, that I'm making?
Last edited by
JellyFish on Wed Jul 04, 2007 2:25 pm, edited 2 times in total.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Jul 04, 2007 2:22 pm
It's the same type of file that goes along with file download interfaces.
JellyFish
DevNet Resident
Posts: 1361 Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA
Post
by JellyFish » Wed Jul 04, 2007 2:26 pm
What should I use in place of fpassthru? My video.php file doesn't act like the .flv that it's posing to be.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Jul 04, 2007 2:30 pm
fpassthru() is just fine, it's bound to be something else, likely headers related.
JellyFish
DevNet Resident
Posts: 1361 Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA
Post
by JellyFish » Wed Jul 04, 2007 2:35 pm
feyd wrote: fpassthru() is just fine, it's bound to be something else, likely headers related.
I only have set the content-type header. Which other one is necessary?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Jul 04, 2007 2:39 pm
That's something you'll need to research as I don't work with Flash video files.
JellyFish
DevNet Resident
Posts: 1361 Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA
Post
by JellyFish » Wed Jul 04, 2007 2:48 pm
I see. I'm a bit stumped on what my research terms are; php video output, php video. Any suggestions?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Jul 04, 2007 2:49 pm
It's probably more along the lines of what Flash is expecting and what the browsers are expecting and less about PHP.