Topic awaiting preservation: Securing a newsreader that takes $_GET (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=26289" title="Pages that link to Topic awaiting preservation: Securing a newsreader that takes $_GET (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Securing a newsreader that takes $_GET <span class="small">(Page 1 of 1)</span>\$

H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 07-20-2005 05:37 Hi all, I have a little project im doing that needs to be able to take a news reader url from the URL of this page, and display the results. It all works fine etc, what im worried about it what i need to do to make it secure. Basically its like newsreader.php?feed=http://somesite/somefeed.xml Then it shows the results. What im also doing is caching the data for a set time into a file for each news feed, the file name is simply the md5 of feed url. So md5(http://somesite/somefeed.xml). In that file the xml content is stored. So the file is parsed using the php xml functions and display the results in a table. Is there anything I need to do to make this safe? To make it so people cant inject php code etc. One thing i do at the moment is check for invalid file extensions such as .php, .exe. bat etc. Basically it will allow, .xml, .rss and none as many newsfeeds have no extension at all. Any feedback would be great, thanks.
DmS Maniac (V) Inmate From: Sthlm, Sweden Insane since: Oct 2000	posted 07-20-2005 09:55 I helped Steve over at the GN with this for his Flash newsreader a while back, take a look in this thread http://www.gurusnetwork.com/discussion/thread/2942/ and I'm sure you'll find some tips that you can use. /Dan {cell 260} {Blog} -{ ?There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence. - Jeremy S. Anderson" }-
H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 07-20-2005 10:18 Thanks for that, interesting. I won't have a list to compare to unfortunately as that would really defeat the purpose of it. Currently the security -Checks to make sure it has http:// or https:// -Blocks any invalid extensions, .php, .exe., .com, .bat, .asp etc. (in dont think anyone provides xml this way, if they do badluck for that link. So is this secure enough? Can someone do anything malicious if I block all of those, can you run php from an xml file? When php parses it it check s to make sure its a valid xml document so i dont see how. Any thoughts on that?
WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 07-20-2005 13:26 Open the document and make sure that you validate the page as XML, if the page is valid and it follows the specified DTD you should be just as safe as if you are accepting form input. But just like for form input make sure to further validate any data that you might be processing. Dan @ Code Town
H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 07-22-2005 07:11 Thanks, yeh i figured as much. I guess in some ways i have to be a little more flexible than form input. Generally for most of my form input i only allow alphanumeric characters, but URL's need a few other things. Will make it as restrictive as i can then open up things as i see need to

Topic awaiting preservation: Securing a newsreader that takes $_GET (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=26289" title="Pages that link to Topic awaiting preservation: Securing a newsreader that takes $_GET (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Securing a newsreader that takes $_GET <span class="small">(Page 1 of 1)</span>\$

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 07-20-2005 05:37

Hi all, I have a little project im doing that needs to be able to take a news reader url from the URL of this page, and display the results.

It all works fine etc, what im worried about it what i need to do to make it secure.

Basically its like newsreader.php?feed=http://somesite/somefeed.xml

Then it shows the results. What im also doing is caching the data for a set time into a file for each news feed, the file name is simply the md5 of feed url. So md5(http://somesite/somefeed.xml). In that file the xml content is stored.

So the file is parsed using the php xml functions and display the results in a table. Is there anything I need to do to make this safe? To make it so people cant inject php code etc.

One thing i do at the moment is check for invalid file extensions such as .php, .exe. bat etc. Basically it will allow, .xml, .rss and none as many newsfeeds have no extension at all.

Any feedback would be great, thanks.

DmS
Maniac (V) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted 07-20-2005 09:55

I helped Steve over at the GN with this for his Flash newsreader a while back, take a look in this thread http://www.gurusnetwork.com/discussion/thread/2942/ and I'm sure you'll find some tips that you can use.
/Dan

{cell 260} {Blog}
-{ ?There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence. - Jeremy S. Anderson" }-

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 07-20-2005 10:18

Thanks for that, interesting. I won't have a list to compare to unfortunately as that would really defeat the purpose of it.

Currently the security
-Checks to make sure it has http:// or https://
-Blocks any invalid extensions, .php, .exe., .com, .bat, .asp etc. (in dont think anyone provides xml this way, if they do badluck for that link.

So is this secure enough? Can someone do anything malicious if I block all of those, can you run php from an xml file? When php parses it it check s to make sure its a valid xml document so i dont see how.

Any thoughts on that?

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 07-20-2005 13:26

Open the document and make sure that you validate the page as XML, if the page is valid and it follows the specified DTD you should be just as safe as if you are accepting form input. But just like for form input make sure to further validate any data that you might be processing.

Dan @ Code Town

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 07-22-2005 07:11

Thanks, yeh i figured as much. I guess in some ways i have to be a little more flexible than form input. Generally for most of my form input i only allow alphanumeric characters, but URL's need a few other things.

Will make it as restrictive as i can then open up things as i see need to