[java] Applet security issue
Author
my applet needs to download images from various other servers, is there a way to do this without signing it? if not, what is the easiest path to getting the applet signed?
You can sign it yourself, but of course the users will be asked
to trust you, or whoever signed the applet. If you want to
download images with no intervention, you'll have to do it through
a proxy located on the same site as the applet.
to trust you, or whoever signed the applet. If you want to
download images with no intervention, you'll have to do it through
a proxy located on the same site as the applet.
you could make a really simple php image proxy
getImage.php
save that on your webserver and use like so:
String imageURL = "http://myserver/getImage.php?imageURL=http://imageshack.us/my_offsite_pic.png";
getImage.php
<?php header("location: $_REQUEST[imageURL]") ?>save that on your webserver and use like so:
String imageURL = "http://myserver/getImage.php?imageURL=http://imageshack.us/my_offsite_pic.png";
actually, on second thought, that won't work.
instead, you'll have to read the file in php, and echo the contents back out. you might try something like:
instead, you'll have to read the file in php, and echo the contents back out. you might try something like:
<?php echo file_get_contents($_REQUEST['imageURL']); ?>
You could create such a proxy in PHP (or some other server-side language) - that would be the easiest way.
But it should definitely do some security checks (such as that the image comes from a trusted site etc, protocol really is http) - the code shown by domstyledesign is VERY vulnerable to being attacked (It can be used to dump the contents of any local file). You might also want to limit the maximum size of the file proxied.
You probably also want to set the content-type header to the appropriate value.
Mark
But it should definitely do some security checks (such as that the image comes from a trusted site etc, protocol really is http) - the code shown by domstyledesign is VERY vulnerable to being attacked (It can be used to dump the contents of any local file). You might also want to limit the maximum size of the file proxied.
You probably also want to set the content-type header to the appropriate value.
Mark
Author
ok, thanks. this sounds like the way i want to go. the code you provided causes the following warnings:
Warning: file_get_contents(): URL file-access is disabled in the server configuration in .../getImage.php on line 1
Warning: file_get_contents(http://www.imageserver.com/current.jpg): failed to open stream: no suitable wrapper could be found in .../getImage.php on line 1
i have given it execute permissions along with read and write. something i'm missing?
EDIT: nevermind, found the setting in the php.ini :) thanks guys
[Edited by - MaliciousDigit on October 8, 2007 1:16:44 PM]
Warning: file_get_contents(): URL file-access is disabled in the server configuration in .../getImage.php on line 1
Warning: file_get_contents(http://www.imageserver.com/current.jpg): failed to open stream: no suitable wrapper could be found in .../getImage.php on line 1
i have given it execute permissions along with read and write. something i'm missing?
EDIT: nevermind, found the setting in the php.ini :) thanks guys
[Edited by - MaliciousDigit on October 8, 2007 1:16:44 PM]
Author
wow. this is extremely slow. is there anyway to speed it up other than getting a faster server?
Quote:Original post by markr
But it should definitely do some security checks (such as that the image comes from a trusted site etc, protocol really is http) - the code shown by domstyledesign is VERY vulnerable to being attacked
I agree completely with this advice. If you do build a proxy, it should
be very restricted to proxying the files you intend it to. Otherwise, it WILL
be hijacked and you'll find your server acting as a major portal for porn
or something similar.
Author
Quote:Original post by ddyer
You can sign it yourself, but of course the users will be asked
to trust you, or whoever signed the applet. If you want to
download images with no intervention, you'll have to do it through
a proxy located on the same site as the applet.
As a lesser of two evils, how do i sign it? leaving the image loading calls in makes them fail, so i'm assuming signing will allow you to do this if the user agrees.
i was trying to avoid making the user agree to anything, but the proxy server seems too slow for downloading the hi def images i'm doing.
i switched to fread based streaming and it helped, but the cost is still substantial since now two computers have to download the image.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
