您可能已经知道了,但我觉得有必要指出 TinyURL ,它正是您想要做的事情。 也就是说,除了您描述的明显的无限重定向问题之外,实际上不会出现太多技术问题。 更大的问题将是政治性的——人们在你的网址后面隐藏垃圾邮件、色情或恶意网站,人们创建“有趣”的网址指向他们认为有趣的地方,等等。 查看TinyURL 的 Wikipedia 条目,了解他们遇到的问题。
You probably already know of it, but I feel obliged to point out TinyURL which does exactly what you're trying to do. That said, there really aren't many technical problems that can arise, aside from the obvious infinite redirection one you describe. The bigger problems will be political -- people hiding spam, porn or malicious sites behind your urls, people creating 'amusing' urls pointing to somewhere they think is funny, and so on. Have a look at the Wikipedia entry for TinyURL to get an idea of the problems they've encountered.
Instead of trying to think of the "Dangerous" scenarios, try and think of how you can write it without there being any risk to yourself regardless of any security holes / bugs.
Might not solve all of the problems you end up coming across but is a much better way of avoiding problems.
编写它以避免由安全漏洞引起的行为。 在您的示例中,如果您在 X 时间段内从同一 IP 收到超过 x 数量的请求。
沿着这些思路思考将消除比试图预先阻止更多的威胁。
Write it to avoid behavior that would be caused by security holes. In the case of your example, if you get more than x number of requests from the same IP in X time period.
Thinking along these lines will eliminate more threats than trying to block them up front.
Many of the dangers in a service like this are not as dangerous to you as to the users of your service. If you do a search for TinyURL and security you'll find a lot of things like this:
发布评论
评论(5)
您可能已经知道了,但我觉得有必要指出 TinyURL ,它正是您想要做的事情。
也就是说,除了您描述的明显的无限重定向问题之外,实际上不会出现太多技术问题。 更大的问题将是政治性的——人们在你的网址后面隐藏垃圾邮件、色情或恶意网站,人们创建“有趣”的网址指向他们认为有趣的地方,等等。
查看TinyURL 的 Wikipedia 条目,了解他们遇到的问题。
You probably already know of it, but I feel obliged to point out TinyURL which does exactly what you're trying to do.
That said, there really aren't many technical problems that can arise, aside from the obvious infinite redirection one you describe. The bigger problems will be political -- people hiding spam, porn or malicious sites behind your urls, people creating 'amusing' urls pointing to somewhere they think is funny, and so on.
Have a look at the Wikipedia entry for TinyURL to get an idea of the problems they've encountered.
不要试图考虑“危险”的场景,而是尝试考虑如何编写它而不会对自己造成任何风险,无论是否存在任何安全漏洞/错误。
可能无法解决您最终遇到的所有问题,但这是避免问题的更好方法。
Instead of trying to think of the "Dangerous" scenarios, try and think of how you can write it without there being any risk to yourself regardless of any security holes / bugs.
Might not solve all of the problems you end up coming across but is a much better way of avoiding problems.
编写它以避免由安全漏洞引起的行为。 在您的示例中,如果您在 X 时间段内从同一 IP 收到超过 x 数量的请求。
沿着这些思路思考将消除比试图预先阻止更多的威胁。
Write it to avoid behavior that would be caused by security holes. In the case of your example, if you get more than x number of requests from the same IP in X time period.
Thinking along these lines will eliminate more threats than trying to block them up front.
此类服务中的许多危险对您来说并不像对服务的用户那么危险。 如果您搜索 TinyURL 和安全性,您会发现很多类似这样的内容:
http: //www.readwriteweb.com/archives/tinyurl_being_used_to_bypass_safe_browsing_filters.php
我会对 TinyURL 和 Bit.ly 进行大量研究,看看他们是如何解决这些问题的。
就您自己的应用程序而言,所有标准最佳实践都适用。 验证输入、安全插入数据库等。
Many of the dangers in a service like this are not as dangerous to you as to the users of your service. If you do a search for TinyURL and security you'll find a lot of things like this:
http://www.readwriteweb.com/archives/tinyurl_being_used_to_bypass_safe_browsing_filters.php
I would do a lot of research on TinyURL and Bit.ly to see how they've addressed these issues.
As far as your own application goes, all of the standard best-practices apply. Validate input, insert safely into your database, etc.
您可以随时检查它是否来自您的服务。
如果您担心它是一个 TinyURL 到您的更小的 URL,您可以随时跟踪该链接,如果它最终回到您的网站,请将其删除。
You could always check to see if it comes from your service.
And if you are worried about it being a TinyURL to your tinier URL, you can always follow the link and if it ever ends up back at your site, kill it.