Might be clever, but I could cause a huge load on the server if I include big images. Easy to do a DoS attack like that.
Yeah, I think we all agree that it has issues, that's why I said "basically working". I think it needs a few basic checks, like not rewriting the url if it's already using https.
My thoughts (and some of this comes from reading about the xenforo version that was linked earlier) was to try to keep the proxy script from having to read the database, or at least from loading the vbulletin stuff to check permissions. My thought was to generate a random "secret" and save it somewhere (a file, I guess, if not using the database). Then when rewriting the links, hash the secret with the url and add that as a parameter. That will at least allow the proxy script to check that the requested image is actually something someone posted. But with that scheme there's no way to 'delete' a link once it's out there.
As for someone hot linking, I guess that's the same issue as any other image you might be hosting.
Do you really think that this script represents a significantly greater opportunity for DoS attack over just requesting vbulletin pages? I guess a server normally doesn't use a lot of incoming bandwidth, so maybe that's a problem. maybe caching could solve that.
Let me know what problems you see and if you have any ideas for solving them.
Edit: I was thinking about this: If you have a proxy script like this on your server, I can post any url I want as an image src, and now I have a url that looks like it's coming from your server that delivers anything I want. I don't know how that could be used maliciously, but it sounds bad. Does anyone know more about that kind of stuff?
12-18-2014, 08:20 PM
Threaded Mode