Facebook代理加载程序安全 [英] Facebook Proxy Loader Security
问题描述
我正在使用PHP代理脚本将图像从Facebook加载到Flash中,而不会造成沙盒违规。这是从这里的指南: http://www.permadi.com/blog/2010/12/loading-facebook-profile-picture-into-flash-swf-using-open-graph-api/ 。相关的PHP代码是:
<?php
$ path = $ _ GET ['path'];
if(stristr($ path,fbcdn。)== FALSE&&< stristr($ path,facebook。)== FALSE)
{
echoERROR ;
退出;
}
header(Content-Description:Facebook Proxied File);
header(Content-Type:image);
header(Content-Disposition:attachment; filename =。$ path);
@readfile($ path);
?>
该指南提到对于现实世界的应用程序推荐使用额外的安全措施。还有哪些措施适用于此?也许某种键从Flash传递给PHP?
我意识到没有什么可以做的,完全保护Flash不被反编译,但是我可以防止脚本被恶意使用
您应该限制代理从Facebook获取图像文件。您当前的保护将允许以下URL: http://virus.provider.com/fbcdn./virus.exe
- 更好地检查域名,也许使用 parse_url 功能。
- 检查您确实只投放图片。确保文件名以图像扩展名(这对Windows客户端有帮助),但也要考虑对实际文件内容进行更彻底的检查。
- 请考虑添加对
$ _ SERVER ['HTTP_REFERER']
以降低使用脚本进行热链接的动机。如果HTTP_REFERER不为空,请检查其实际上是您的站点。这将大大保护您免受带宽盗贼的侵害。 - 确保它实际上是一个远程路径。您当前的脚本可能被欺骗发送,例如您的PHP文件解析,包括密码和其他秘密!
- Content-Disposition头文件中的filname应设置为文件名,而不是整个路径。
还要考虑缓存代理服务器上的文件数据,以加快对同一文件的多次调用。
这些是要记住的几件事情。如果您对此有所了解,您可以透露更多信息。
I'm using a PHP proxy script to load images from Facebook into Flash without any sandbox violations. It is taken from the guide here: http://www.permadi.com/blog/2010/12/loading-facebook-profile-picture-into-flash-swf-using-open-graph-api/. The relevant PHP code is:
<?php
$path=$_GET['path'];
if (stristr($path, "fbcdn.")==FALSE && stristr($path, "facebook.")==FALSE)
{
echo "ERROR";
exit;
}
header("Content-Description: Facebook Proxied File");
header("Content-Type: image");
header("Content-Disposition: attachment; filename=".$path);
@readfile($path);
?>
The guide mentions that additional security measures are recommended for a real world application. What additional measures would be applicable to this? Maybe some kind of key passed from Flash to PHP?
I realise that there's nothing I can do to completely protect the Flash from being decompiled, but can I prevent the script from being used maliciously?
You should restrict the proxy to fetching image files from Facebook. You current "protection" will allow for example this URL: http://virus.provider.com/fbcdn./virus.exe
- Make better checks of the domain bname, maybe using the parse_url function.
- Check that you are indeed serving only images. Make sure the filename is ending in a image extension (this helps a lot for Windows clients), but also consider doing more thorough checks of the actual file content.
- Consider adding a check of the
$_SERVER['HTTP_REFERER']
to lower the incentives to use your script for hotlinking. If the HTTP_REFERER is non-empty, check that it's actually your site in there. This will mostly protect you from bandwidth thieves. - Make sure it's actually a remote path. Your current script can be tricked to sending for example your PHP files unparsed, including passwords and other secrets!
- The filname in the Content-Disposition header should be set to a filename, not to the entire path.
Also consider caching the file data on your proxy server to speed up multiple calls to the same file.
These are a few of the things to keep in mind. You may reveal more if you put some thought into it.
这篇关于Facebook代理加载程序安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!