|
»
»
« Return to Thread: Re: State of Digibug module
Re: State of Digibug module
by Alec Myers
::
Rate this Message:
I've been following this thread with great interest. What was the
G3-protocol-breaking method that you had in mind to get around this problem?
I can't see how you can reliably pass a private url (or, equivalently, the
image data itself) to digibug without either:
A shared secret with Digibug to verify the callback, or less convenient but
perhaps equivalently checking/verifying the IP address from which Digibug
tries to download the image data
OR -
A direct G3-server to Digibug protocol, i.e. not passing the url via a
hidden field in a form in the user's browser.
-A
----- Original Message -----
From: "Bharat Mediratta" <bharat@...>
To: "Chris F-2" <lists@...>
Cc: <gallery-devel@...>
Sent: Monday, June 29, 2009 5:02 AM
Subject: Re: [Gallery-devel] State of Digibug module
Chris F-2 wrote:
> key = md5(imageid + galleryuniqueid)
...
> That means the url will be:
>
> http://example.com/gallery3/print_photo/35/12390239bbf32f
> http://example.com/gallery3/print_photo/36/534313901bfb1
> http://example.com/gallery3/print_photo/37/1239bab9321vb
...
I see. The problem is that the "print" button has to provide a link to
this url, so each of these urls will be on display. This means that
while I can't just put in arbitrary ids to grab your full size images, I
can just write a crawler to find these urls and then escalate each of
them into a full size url. The end result is the same, as far as I can
tell-- I'll be able to circumvent permissions and grab your full size
images.
-Bharat
------------------------------------------------------------------------------
__[ g a l l e r y - d e v e l ]_________________________
[ list info/archive --> http://gallery.sf.net/lists.php ]
[ gallery info/FAQ/download --> http://gallery.sf.net ]
------------------------------------------------------------------------------
__[ g a l l e r y - d e v e l ]_________________________
[ list info/archive --> http://gallery.sf.net/lists.php ]
[ gallery info/FAQ/download --> http://gallery.sf.net ]
G3-protocol-breaking method that you had in mind to get around this problem?
I can't see how you can reliably pass a private url (or, equivalently, the
image data itself) to digibug without either:
A shared secret with Digibug to verify the callback, or less convenient but
perhaps equivalently checking/verifying the IP address from which Digibug
tries to download the image data
OR -
A direct G3-server to Digibug protocol, i.e. not passing the url via a
hidden field in a form in the user's browser.
-A
----- Original Message -----
From: "Bharat Mediratta" <bharat@...>
To: "Chris F-2" <lists@...>
Cc: <gallery-devel@...>
Sent: Monday, June 29, 2009 5:02 AM
Subject: Re: [Gallery-devel] State of Digibug module
Chris F-2 wrote:
> key = md5(imageid + galleryuniqueid)
...
> That means the url will be:
>
> http://example.com/gallery3/print_photo/35/12390239bbf32f
> http://example.com/gallery3/print_photo/36/534313901bfb1
> http://example.com/gallery3/print_photo/37/1239bab9321vb
...
I see. The problem is that the "print" button has to provide a link to
this url, so each of these urls will be on display. This means that
while I can't just put in arbitrary ids to grab your full size images, I
can just write a crawler to find these urls and then escalate each of
them into a full size url. The end result is the same, as far as I can
tell-- I'll be able to circumvent permissions and grab your full size
images.
-Bharat
------------------------------------------------------------------------------
__[ g a l l e r y - d e v e l ]_________________________
[ list info/archive --> http://gallery.sf.net/lists.php ]
[ gallery info/FAQ/download --> http://gallery.sf.net ]
------------------------------------------------------------------------------
__[ g a l l e r y - d e v e l ]_________________________
[ list info/archive --> http://gallery.sf.net/lists.php ]
[ gallery info/FAQ/download --> http://gallery.sf.net ]
« Return to Thread: Re: State of Digibug module
| Free embeddable forum powered by Nabble | Forum Help |
