Flash RSS Reader Pg.12

source: http://www.thegoldenmean.com

12 — Proxy Script Revisited

A More Secure Proxy Script

Updated Material April, 2005
Please note: For those of you with hosting provided by DreamHost, the Proxy script originally presented on this page will no longer work due to DreamHost’s decision (which I agree with I guess) to disable the potential security risk caused by PHP functions that enable including content from remote domains including, among other functions, the readfile() function the original Proxy uses. I think I have a suitable replacement using cURL, (shown immediately following this paragraph). It is new and not thoroughly tested, so use at your own risk. It does appear to both a) work (assuming your ISP supports cURL) and b) meet DreamHost security requirements. Tell me if you encounter any problems. Please read this extremely helpful blog page by Jr Conlin for a very good discussion about the security advantages of cURL. Here is the new rssProxy.php code:

<?php

$feedURL = $_POST['rss'];
$feedURL = trim($feedURL);

$ch = curl_init($feedURL);
$result = curl_exec($ch);
curl_close($ch);
echo $result;

?>

Following is the original discussion of the rssProxy.php script I presented prior to the April 2005 DreamHost change. It is interesting to note that the script which follows went to considerable lengths to minimize the security risk readfile() introduced. DreamHost (and I presume others too) dealt with the issue more decisively! However, if your web host does not support cURL and does permit readfile(), the original script (which the rest of this page discusses) should work fine.

Recall that on page Three of this tutorial I covered developing a PHP proxy script and mentioned the need for a more secure version. As we have completed the Flash movie we are at the point where we can conclude the tutorial by enhancing the proxy script.

I mentioned my reservations about the security provided by the HollowCube proxy at the gurusnetwork forum, and PHP guru DmS arrived at a version that is at least one notch more secure than anything I had.

The risk is that someone could too easily divert the proxy script to a URL containing a malicious script. One barrier to this hijacking is to inform the proxy script what the approved URLs are, allow it to compare the URL being requested and only read files whose URLs match an item in the approved list.

How can the proxy script get the approved list? One solution is that it can also load the feedList.xml file which was written for the Flash menu and extract the URLs from that. Following is the complete PHP proxy script:

<?php

//code credit DmS, www.dmsproject.com

$feedURL = $_POST['rss'];
$feedURL = trim($feedURL);

//verify that this request is okay
if(verifyLink($feedURL)) {
  //if it clears, proceed to read the remote document
  readfile($feedURL);
  }

function verifyLink($requestedURL) {

  //locate the XML file containing the Flash menu data
  //if your XML file has a different name or location, modify $path
  $path = './feedList.xml';
  //start by assuming this request is a hoax
  $authorized = false;
  //use file() to populate an array with $path, line by line
  $approvedList = file($path);
  //loop through every item in $approvedList array
  foreach($approvedList as $url) {
    //using the $url enumerator, compare items in $approvedList
    //against the requested URL ($feedURL). If a match is found,
    //it's okay; otherwise don't permit the request
    if(strstr ($url, $requestedURL)) {
      $authorized = true;
      break;  
    }
  }
    return $authorized;
}

?>

For the benefit of those who like me are somewhat mystified by PHP:

• file() reads the feedList.xml file into an array ($approvedList) line by line
• foreach() is a simple and fast way of iterating (or looping) through every item in an array. The foreach() function works only with arrays. We declare an enumerator ($url) and check $url for a match with the requested URL in the next line.
• The strstr() function accepts two arguments: the “haystack”, or what we want to search in (the array with all our links in this case), and the “needle”, or what we want to search for (the URL being passed to the script). The strstr function is case sensitive (thus a stricter comparison than stristr() which is identical except it is case insensitive). The function returns all of “haystack” from the first match to “needle” to the end, but all we care about is whether or not it returns true. If true, we have a match and it’s okay to conclude this URL is in the approved list. If not, $authorized remains false and the script is not permitted to read whatever te URL points to.

To summarize this script, we can say that the requested URL will not be read unless it matches one existing in the menu list. And the protocol for addressing the proxy script now is POST. These changes mean you can’t, for instance, mess with the proxy by typing the following directly into the address bar of your browser:

www.someSite.com/rssProxy.php?rss=my_secret_password_list.txt

or

www.someSite.com/rssProxy.php?rss=www.reallybad.org/wreak_hav0k.php

That’s reasonably good security, and on that note this tutorial concludes!

The final page of this tutorial wraps things up, provides links to a few Flash rss readers for inspiration and summarizes the resources used.

--top--

• contents:
  • adjust your browser
  • why
  • who
  • art
  • technique
  • words
  • rss reader
  • links
  • music
  • contact
  • flash doodles

• Photoshop:
  • pen tool
  • curves
  • displace filter
  • crop tool
  • resolution
  • dodge and burn
  • replace background
  • backdoors
  • depth masks
• Flash:
  • Flash & JavaScript
  • external text
  • Flash/php mail form
  • mp3 player
  • mp3 player v2
  • mp3 player v3
  • RSS Reader
  • code - where? (old)