Revision history for ActionsWithCheckSum


Revision [19117]

Last edited on 2008-01-28 00:14:03 by OnegWR [Modified links pointing to docs server]

No Differences

Revision [16849]

Edited on 2007-05-31 23:26:32 by OnegWR [Reverted]
Additions:
if (isset($_REQUEST["url"]) && $_REQUEST["url"]<>'' && $this->isAdmin())
{
$url = stripslashes($_REQUEST["url"]);
$page = $this->ExistsPage(stripslashes($_REQUEST["page"])) ? stripslashes($_REQUEST["page"]) : $this->tag ;
print "<br />OLD: {{iframe url=\"$url\" height=\"480\" width=\"640\"}}<br />\n\n";
//Generate CheckSum...
$md5 = md5( 'iFrame'. //prevent reusing the md5 for another action
$this->config["mysql_password"]. //Something you would never give away
$page. //prevent usage on another page
$rnd. //prevent usage on another server (=other rnd!)
$url ); //prevent changes in the url
print "<br />NEW: {{iframe url=\"$url\" height=\"480\" width=\"640\" md5=\"$md5\"}}<br />\n\n";
}
?>%%
~ 2. Unlock (save as ##actions/iframe.php##)
$width = $this->htmlspecialchars_ent(trim($vars['width']));
$height = $this->htmlspecialchars_ent(trim($vars['height']));
$url = $this->cleanUrl(trim($vars['url']));
$md5 = md5('iFrame'. $this->config["mysql_password"] . $this->tag . $rnd . $url);
print "<!-- $md5 - ".$vars['md5']." -->"; //DEBUG remove when in production
if( $md5 == $vars['md5'] )
{
echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
}
else
{
print "ERROR...";
}
?>%%
=== The change ===
~- This is the output of the first script, generating the correct code for you
~~ OLD: ""{{iframe url="http://www.google.com/" height="480" width="640"}}""
~~ NEW: ""{{iframe url="http://www.google.com/" height="480" width="640" md5="7f30d953687f82ecb15f64d0606f7d3e"}}""
~~~ So this action can only be included on my intranet server, on the "SandBox" page AND with "http://www.google.com/" as url...
~- Not that much get changed: one param more in the action. Even the new iframe action isn't that different from the old one (one extra check)
=== Note ===
~- Width and height aren't for the moment in the md5sum. This allows a user to have some level of flexibility...
~- The md5 generator code would become one central function in production.
~- Idea: $rnd generated by the setup script? Saved in $config['rnd'] ?
-- OnegWR
----
=== Remarks ===
//Please feel free to contribute!//
~- How easy would it be to guess my mysql_password? -- OnegWR
~- ...
----
CategoryDevelopmentSecurity
Deletions:
if (isset($_REQUEST["url"])

Revision [16649]

Edited on 2007-05-31 10:29:06 by Or2U5t [Reverted]
Additions:
if (isset($_REQUEST["url"])
Deletions:
if (isset($_REQUEST["url"]) && $_REQUEST["url"]<>'' && $this->isAdmin())
{
$url = stripslashes($_REQUEST["url"]);
$page = $this->ExistsPage(stripslashes($_REQUEST["page"])) ? stripslashes($_REQUEST["page"]) : $this->tag ;
print "<br />OLD: {{iframe url=\"$url\" height=\"480\" width=\"640\"}}<br />\n\n";
//Generate CheckSum...
$md5 = md5( 'iFrame'. //prevent reusing the md5 for another action
$this->config["mysql_password"]. //Something you would never give away
$page. //prevent usage on another page
$rnd. //prevent usage on another server (=other rnd!)
$url ); //prevent changes in the url
print "<br />NEW: {{iframe url=\"$url\" height=\"480\" width=\"640\" md5=\"$md5\"}}<br />\n\n";
}
?>%%
~ 2. Unlock (save as ##actions/iframe.php##)
$width = $this->htmlspecialchars_ent(trim($vars['width']));
$height = $this->htmlspecialchars_ent(trim($vars['height']));
$url = $this->cleanUrl(trim($vars['url']));
$md5 = md5('iFrame'. $this->config["mysql_password"] . $this->tag . $rnd . $url);
print "<!-- $md5 - ".$vars['md5']." -->"; //DEBUG remove when in production
if( $md5 == $vars['md5'] )
{
echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
}
else
{
print "ERROR...";
}
?>%%
=== The change ===
~- This is the output of the first script, generating the correct code for you
~~ OLD: ""{{iframe url="http://www.google.com/" height="480" width="640"}}""
~~ NEW: ""{{iframe url="http://www.google.com/" height="480" width="640" md5="7f30d953687f82ecb15f64d0606f7d3e"}}""
~~~ So this action can only be included on my intranet server, on the "SandBox" page AND with "http://www.google.com/" as url...
~- Not that much get changed: one param more in the action. Even the new iframe action isn't that different from the old one (one extra check)
=== Note ===
~- Width and height aren't for the moment in the md5sum. This allows a user to have some level of flexibility...
~- The md5 generator code would become one central function in production.
~- Idea: $rnd generated by the setup script? Saved in $config['rnd'] ?
-- OnegWR
----
=== Remarks ===
//Please feel free to contribute!//
~- How easy would it be to guess my mysql_password? -- OnegWR
~- ...
----
CategoryDevelopmentSecurity

Revision [14628]

Edited on 2006-06-17 11:58:22 by OnegWR [adding the filenames]
Additions:
~ 1. Lock down (save as ##actions/geniframe.php##)
~ 2. Unlock (save as ##actions/iframe.php##)
Deletions:
~ 1. Lock down
~ 2. Unlock

Revision [14626]

The oldest known version of this page was created on 2006-06-17 10:16:23 by OnegWR [adding the filenames]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki