Facebook Proxy Loader Security

2019-07-23 18:31发布

站内问答 / PHP
329 1 5

I'm using a PHP proxy script to load images from Facebook into Flash without any sandbox violations. It is taken from the guide here: http://www.permadi.com/blog/2010/12/loading-facebook-profile-picture-into-flash-swf-using-open-graph-api/. The relevant PHP code is:

<?php
    $path=$_GET['path'];
    if (stristr($path, "fbcdn.")==FALSE && stristr($path, "facebook.")==FALSE)
    {
        echo "ERROR";
        exit;
    }
    header("Content-Description: Facebook Proxied File");
    header("Content-Type: image");
    header("Content-Disposition: attachment; filename=".$path);
    @readfile($path);
?>

The guide mentions that additional security measures are recommended for a real world application. What additional measures would be applicable to this? Maybe some kind of key passed from Flash to PHP?

I realise that there's nothing I can do to completely protect the Flash from being decompiled, but can I prevent the script from being used maliciously?

1条回答
冷血范
2楼-- · 2019-07-23 19:13

You should restrict the proxy to fetching image files from Facebook. You current "protection" will allow for example this URL: http://virus.provider.com/fbcdn./virus.exe

  • Make better checks of the domain bname, maybe using the parse_url function.
  • Check that you are indeed serving only images. Make sure the filename is ending in a image extension (this helps a lot for Windows clients), but also consider doing more thorough checks of the actual file content.
  • Consider adding a check of the $_SERVER['HTTP_REFERER'] to lower the incentives to use your script for hotlinking. If the HTTP_REFERER is non-empty, check that it's actually your site in there. This will mostly protect you from bandwidth thieves.
  • Make sure it's actually a remote path. Your current script can be tricked to sending for example your PHP files unparsed, including passwords and other secrets!
  • The filname in the Content-Disposition header should be set to a filename, not to the entire path.

Also consider caching the file data on your proxy server to speed up multiple calls to the same file.

These are a few of the things to keep in mind. You may reveal more if you put some thought into it.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)