使用 clientaccesspolicy 代理解决方法有哪些安全隐患?
我想使用发布的 GoogleDocs 文档和twitter 推文作为 Silverlight 应用程序的数据源,但遇到了 clientaccesspolicy 问题。
我读了很多文章,例如此 和 此了解解决 clientaccesspolicy 问题有多困难。
因此,我编写了这个 CURL 脚本 并将其放在我的 PHP 网站上,现在我可以将任何 GoogleDocs 文档和 twitter feed 的文本获取到我的 Silverlight 应用程序中:
<?php
$url = filter_input(INPUT_GET, 'url',FILTER_SANITIZE_STRING);
$validUrls[] = "http://docs.google.com";
$validUrls[] = "http://twitter.com/statuses/user_timeline";
if(beginsWithOneOfThese($url, $validUrls)) {
$user_agent = 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)';
$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie");
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookie");
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
echo curl_exec($ch);
} else
echo "invalid url";
function beginsWithOneOfThese($main, $prefixes) {
foreach($prefixes as $prefix) {
if(beginsWith($main, $prefix))
return true;
}
return false;
}
function beginsWith($main, $prefix) {
return strpos($main, $prefix) === 0;
}
?>
所以这让我想知道:
- 既然您只需要编写一个简单的代理脚本并通过它获取信息,为什么会有这么多关于URL是否支持clientaccesspolicy的讨论呢?
- 为什么没有服务,例如URL缩短服务,来提供此功能?
- 这样的脚本有什么安全隐患?
I wanted to use published GoogleDocs documents and twitter tweets as the datasource of a Silverlight application but ran into clientaccesspolicy issues.
I read many articles like this and this about how difficult it is to get around the clientaccesspolicy issue.
So I wrote this CURL script and put it on my PHP site and now I can get the text of any GoogleDocs document and twitter feed into my Silverlight application:
<?php
$url = filter_input(INPUT_GET, 'url',FILTER_SANITIZE_STRING);
$validUrls[] = "http://docs.google.com";
$validUrls[] = "http://twitter.com/statuses/user_timeline";
if(beginsWithOneOfThese($url, $validUrls)) {
$user_agent = 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)';
$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie");
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookie");
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
echo curl_exec($ch);
} else
echo "invalid url";
function beginsWithOneOfThese($main, $prefixes) {
foreach($prefixes as $prefix) {
if(beginsWith($main, $prefix))
return true;
}
return false;
}
function beginsWith($main, $prefix) {
return strpos($main, $prefix) === 0;
}
?>
So it makes me wonder:
- Why is there so much discussion about whether or not URLs support clientaccesspolicy or not, since you just have to write a simple proxy script and get the information through it?
- Why aren't there services, e.g. like the URL shortening services, which supply this functionality?
- What are the security implications of having a script like this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
虽然您可能认为代理为您提供了与客户端发出请求相同的功能,但事实并非如此。更具体地说,您不会拥有目标站点的客户端 cookie/凭据,并且在某些情况下,客户端可以访问目标站点,但您的代理不能(例如 Intranet)。
http://blogs.msdn.com/ieinternals/archive/2009/08/28/Explaining-Same-Origin-Policy-Part-1-Deny-Read.aspx 详细解释了同源策略。
就代理的安全影响而言,这取决于您是否对其具有访问控制权。如果没有,坏人可能会使用您的代理来隐藏他的踪迹,因为他入侵了网站或下载非法内容。
While you might think that a proxy gives you the same capabilities as having the client make the request, it doesn't. More specifically, you won't have the client's cookies/credentials for the target site, and in some cases, a client can reach the target site but your proxy can't (e.g. Intranet).
http://blogs.msdn.com/ieinternals/archive/2009/08/28/Explaining-Same-Origin-Policy-Part-1-Deny-Read.aspx explains Same Origin Policy at some length.
In terms of the security implications for your proxy-- well, that depends on whether you have access control on that. If not, a bad guy could use your proxy to hide his tracks as he hacks sites or downloads illegal content.