| 9:05 pm on May 21, 2009 (gmt 0)|
The security implications are the same: you are still putting a foreign file onto your file system!
The only difference, is that instead of the file coming directly from your user (file upload), it is now coming directly from a 3rd party web server.
Employ the same basic security guidelines to handle the file. The 4 things you mention are all good steps. Try Googling "PHP file upload security" for more specific concerns about uploading user files onto your system.
| 10:15 pm on May 21, 2009 (gmt 0)|
I was thinking more in the lines of using my server to access external resources (like a proxy). I see it all the times with failed attempts in my access log
| 10:18 am on May 26, 2009 (gmt 0)|
|what security concerns can there be in my server trying to do a HTTP GET on a URL the member provided ? |
If I understand correctly this, member sets a link for an image that points to an external site. Now as your users browse pages on your site, some images may point to an external site (whatever was specified by the image links of your members correct?
If so then we have
Link to the image:
Here are few things that can be done.
Once the image link is set to your site member changes the content of the image to some adult content only for some ips or only on a specific time of the day.
Another case is he can set an authorization script inside hist /image folder that rotates. Now some members of your site will see a popup dialog prompting them to enter their credentials. Just use your imagination possibilities are unlimited.
So make sure of at least 2 things.
1. Make sure they upload the image files to your server (no hot-linking)
2. Validate the images.
| 7:50 am on May 28, 2009 (gmt 0)|
enigma1 > you misunderstood. The issue is not to link to an external URL but to download from the URL and store the image on my server.
| 7:56 am on May 28, 2009 (gmt 0)|
darkage... are you vetting the images stored, or just taking them willy nilly? Freely admit I'm a bit of a control freak. I want to control what appears on my sites.
And when push comes to shove I want my users to send me the images direct rather than point to a third party (where's the audit trail in that!)?
| 9:09 am on May 28, 2009 (gmt 0)|
darkage, best to have the users upload the images, then you validate/authorize them before displaying. Or maybe you can have instructions to upload their images on another server which you trust (there are services online for this I believe) and then have your server to automatically download them and store them.
But if you have your server to automatically downloads them, stores them and then are accessible without validation is no different than the hot-linking problems mentioned above.