Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #16  
Old 18 Dec 2014, 06:57
AndrewSimm's Avatar
AndrewSimm AndrewSimm is offline
 
Join Date: Sep 2006
caching would be a plus. I am not sure how external images in bb code are cached now. Here is what I have created so far

proxy.php

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

bbcode_image_match hook

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The above accomplishes having the image go through https as I have moved my DNS to cloudflare and have no mixed content warnings. I am not sure how the above would be cached and I am not sure how to prevent someone from using my proxy.php file as their own image proxy. Basically I only want vbulletin to be able to use this php file. I have tested it and I think it is safe from file inclusion but I could be wrong.

--------------- Added 18 Dec 2014 at 07:01 ---------------

Here is an example
https://www.canesinsight.com/proxy.p...om/UxY5hpY.png

One thing I would like to fix is when someone goes back to edit the image in the img tags it shows the full link with the proxy.php. This could confuse some users so not sure how I can just have it use that in front of the image when the page is rendered but hidden when someone clicks to view the code to edit the img tag.

Last edited by AndrewSimm; 18 Dec 2014 at 07:33.
Reply With Quote
  #17  
Old 18 Dec 2014, 11:38
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Oh, OK, so you mostly solved the problem yourself already?
Reply With Quote
  #18  
Old 18 Dec 2014, 17:11
AndrewSimm's Avatar
AndrewSimm AndrewSimm is offline
 
Join Date: Sep 2006
Originally Posted by kh99 View Post
Oh, OK, so you mostly solved the problem yourself already?
I have the proxy working so I guess so. I just have a few things to work out that I can't figure out.
Reply With Quote
  #19  
Old 18 Dec 2014, 18:45
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by AndrewSimm View Post
I have the proxy working so I guess so. I just have a few things to work out that I can't figure out.
OK, then I may still try it if I get motivated. Implementing a proxy with caching seems interesting.

ETA: Also, that's pretty clever that you got it basically working with only a few lines of code. I was thinking about how to do it and obviously I was making things too complicated.

Last edited by kh99; 18 Dec 2014 at 19:28.
Reply With Quote
  #20  
Old 18 Dec 2014, 20:37
Dave Dave is offline
 
Join Date: Jun 2010
Originally Posted by kh99 View Post
OK, then I may still try it if I get motivated. Implementing a proxy with caching seems interesting.

ETA: Also, that's pretty clever that you got it basically working with only a few lines of code. I was thinking about how to do it and obviously I was making things too complicated.
Might be clever, but I could cause a huge load on the server if I include big images. Easy to do a DoS attack like that.
Reply With Quote
  #21  
Old 18 Dec 2014, 21:20
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by Dave View Post
Might be clever, but I could cause a huge load on the server if I include big images. Easy to do a DoS attack like that.
Yeah, I think we all agree that it has issues, that's why I said "basically working". I think it needs a few basic checks, like not rewriting the url if it's already using https.

My thoughts (and some of this comes from reading about the xenforo version that was linked earlier) was to try to keep the proxy script from having to read the database, or at least from loading the vbulletin stuff to check permissions. My thought was to generate a random "secret" and save it somewhere (a file, I guess, if not using the database). Then when rewriting the links, hash the secret with the url and add that as a parameter. That will at least allow the proxy script to check that the requested image is actually something someone posted. But with that scheme there's no way to 'delete' a link once it's out there.

As for someone hot linking, I guess that's the same issue as any other image you might be hosting.

Do you really think that this script represents a significantly greater opportunity for DoS attack over just requesting vbulletin pages? I guess a server normally doesn't use a lot of incoming bandwidth, so maybe that's a problem. maybe caching could solve that.

Let me know what problems you see and if you have any ideas for solving them.


Edit: I was thinking about this: If you have a proxy script like this on your server, I can post any url I want as an image src, and now I have a url that looks like it's coming from your server that delivers anything I want. I don't know how that could be used maliciously, but it sounds bad. Does anyone know more about that kind of stuff?

Last edited by kh99; 18 Dec 2014 at 22:26.
Reply With Quote
  #22  
Old 19 Dec 2014, 07:35
AndrewSimm's Avatar
AndrewSimm AndrewSimm is offline
 
Join Date: Sep 2006
Here is what I changed the plugin too on bbcode_image_match. This detects https and does not use the proxy if the image is https. If the image is http then it does.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The 3 issues I have yet to figure out are:
- Detect filesize of a link so I could limit it.
- Prevent others from hotlinking the proxy image proxy and making it look as if I am hosting an image.
- cache

--------------- Added 19 Dec 2014 at 07:57 ---------------

Last edited by AndrewSimm; 19 Dec 2014 at 08:05.
Reply With Quote
  #23  
Old 07 Jan 2015, 22:32
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Well, as usual I never got around to working on this, but I just noticed this: http://www.vbulletin.org/forum/showthread.php?t=288060
Reply With Quote
  #24  
Old 08 Jan 2015, 02:36
AndrewSimm's Avatar
AndrewSimm AndrewSimm is offline
 
Join Date: Sep 2006
oh wow I am not sure how I missed that. The only thing is I don't want to download the image to my server. I want the images to be externally linked to conserve space. It looks like this post in that mod shows how to do it.

http://www.vbulletin.org/forum/showp...3&postcount=12

If the image is downloaded to the server why would it need to go through a proxy?

I wonder if it could be cached without being downloaded?

thank you for finding this.

Would there be an advantage to using curl?

Last edited by AndrewSimm; 08 Jan 2015 at 02:48.
Reply With Quote
  #25  
Old 08 Jan 2015, 13:18
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Well, I think it downloads it to cache it, but it doesn't look like there's any security or any limiting of cache size, so I guess there's no difference bewteen that and downloading them all to your server. And if you use the code in the post that eliminated the cache, thne I guess you're pretty much back to what you have.

I don't know that curl is any better. I guess it's a little easier to set headers and manage any errors that might happen, but if what you have is working for you, then it doesn't matter.
Reply With Quote
  #26  
Old 08 Jan 2015, 19:04
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
I don't see why you wouldn't just cache images for some period of time, it'd save you a ton of bandwidth.
__________________
Looking for ImpEx?
Reply With Quote
  #27  
Old 09 Jan 2015, 02:47
AndrewSimm's Avatar
AndrewSimm AndrewSimm is offline
 
Join Date: Sep 2006
Originally Posted by Zachery View Post
I don't see why you wouldn't just cache images for some period of time, it'd save you a ton of bandwidth.
That would be ideal. I am not sure if the mod linked does that. Also if they are cached on the server there would be no need to run them through an image proxy.
Reply With Quote
  #28  
Old 17 Jan 2015, 18:34
Mellnik Mellnik is offline
 
Join Date: Dec 2011
Can anyone make an ImageProxy Product which works as fine as on forums like bitcointalk.org? I would even pay for it.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Miscellaneous Hacks Proxy/Web-Proxy Registration Prevention LordOfWAR_PC vBulletin 3.8 Add-ons 15 21 Mar 2015 19:10



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 23:33.

Layout Options | Width: Wide Color: