Page 4 of 4

Posted: Mon Jul 02, 2007 4:20 pm
by Ambush Commander
What are root rights, and what is the Unix password file?
http://en.wikipedia.org/wiki/Superuser
http://en.wikipedia.org/wiki/Passwd
What is "Cracking the shell passwords"?
http://www.crypticide.com/alecm/security/c50a.txt
Break out of which directory
The one with your movie files.
what's an arbitrary file on my server?
Anything that's on the server. Your PHP scripts, your configuration files, your user data, etc. :-P

Posted: Mon Jul 02, 2007 4:36 pm
by JellyFish
So basically, I don't want people passing a path to my script that would have my script return any information I don't want them to get.

So how would I fix this? You say to use the basename function?

I could just make sure that the file path that is passed to my script be one with the MIME type of "video/x-flv". But I don't know how to do this.

Another method would be to check if the basename's suffix is that of ".flv".

Which would you suggest?

Posted: Mon Jul 02, 2007 6:02 pm
by Ambush Commander
I would do several checks:

1. basename() to make sure that the directory path is in the proper place
2. File extension check to make sure the requested file is valid
3. file_exists() check to make sure the file being requested exists

Posted: Mon Jul 02, 2007 8:09 pm
by JellyFish
How would I check the file extension?

Posted: Tue Jul 03, 2007 5:58 am
by superdezign
pathinfo()

Or regex.

Posted: Tue Jul 03, 2007 10:59 pm
by JellyFish

Code: Select all

		header("Content-type: video/x-flv");
		
		$path_parts = pathinfo($_GET['filename']);
		
		if ($path_parts['extension'] == "flv")
		{			
			$stream = fopen("/home/content/t/r/a/tradingtresure/html/".$_GET['filename'], "rb");
		}
		else
		{
			$stream = fopen("/home/content/t/r/a/tradingtresure/html/manager/chart-room/videos/error.flv", "rb");
		}
		
		fpassthru($stream);
Is this good?

I don't want to check for the directory because my directories variable that I use.

Is what I have secure?

Other then that I'm having a problem with this method (using a video.php file instead of an .flv file) and that is, it acts funny, for example when the position of the video meets the loaded duration, the movie starts over. Is this because I'm using fpassthru rather then some other function(s)?

Posted: Wed Jul 04, 2007 5:51 am
by feyd
Not even remotely.

Check realpath() against the folder root of your storage directory. Make sure the file they are requesting exists, too.

Posted: Wed Jul 04, 2007 2:19 pm
by JellyFish
What kind of file is this called, that I'm making?

Posted: Wed Jul 04, 2007 2:22 pm
by feyd
It's the same type of file that goes along with file download interfaces.

Posted: Wed Jul 04, 2007 2:26 pm
by JellyFish
What should I use in place of fpassthru? My video.php file doesn't act like the .flv that it's posing to be.

Posted: Wed Jul 04, 2007 2:30 pm
by feyd
fpassthru() is just fine, it's bound to be something else, likely headers related.

Posted: Wed Jul 04, 2007 2:35 pm
by JellyFish
feyd wrote:fpassthru() is just fine, it's bound to be something else, likely headers related.
I only have set the content-type header. Which other one is necessary?

Posted: Wed Jul 04, 2007 2:39 pm
by feyd
That's something you'll need to research as I don't work with Flash video files.

Posted: Wed Jul 04, 2007 2:48 pm
by JellyFish
I see. I'm a bit stumped on what my research terms are; php video output, php video. Any suggestions?

Posted: Wed Jul 04, 2007 2:49 pm
by feyd
It's probably more along the lines of what Flash is expecting and what the browsers are expecting and less about PHP.