Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add URL validation to userBanner & profilePic editProfile.php #16

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

VertyyBird
Copy link

@VertyyBird VertyyBird commented Oct 19, 2024

First checks to see if submitted URL is in an image format. Then if it is, it uses curl to get the HTTP headers of the URLs and rejects them if the response code is anything besides 200.

This should fix the privacy issue I raised in #15

First checks to see if submitted URL is in an image format. Then if it is, it uses curl to get the HTTP headers of the URLs and rejects them if the response code is anything besides 200.
@Pinball3D
Copy link
Contributor

This could be used to get @actuallyaridan IP address because he hosts the server on a computer at his house. Maybe not a huge deal but its possible

@VertyyBird
Copy link
Author

That, plus just anyone who sees my profile. For example, just from this test, I can see that my profile pic got 94 loads and my banner got 15. Which is cool because I can roughly see the ratio of post views to profile views. But on the other hand, I can see the IP, OS, Browser, etc of all those loads.

For the minimal amount of computation to do these checks to prevent this, I think it's worth it.

@Pinball3D
Copy link
Contributor

That, plus just anyone who sees my profile. For example, just from this test, I can see that my profile pic got 94 loads and my banner got 15. Which is cool because I can roughly see the ratio of post views to profile views. But on the other hand, I can see the IP, OS, Browser, etc of all those loads.

For the minimal amount of computation to do these checks to prevent this, I think it's worth it.

no that wasnt what i was saying. Someone could put in a link, and since all links are loaded on chirps server, his ip would be leaked. No matter if there are redirects etc

@VertyyBird
Copy link
Author

VertyyBird commented Oct 20, 2024

Ohhhh I see what you mean. That's a possibility, but that info is already public since the DNS records for the site already expose his IP. If he wants to be more paranoid about it, he could always run the curl commands through a VPN.

Which he might be doing already since the IP for his domains lead to a datacentre, so it wouldn't really matter if someone grabs the machine's IP using this validation method.

@actuallyaridan
Copy link
Owner

I do NOT host Chirp on a computer in my house, I’ve said like 19 times now that Chirp is hosted on a server in Germany.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants