Re: "tinyurl" url masking

From: Laurian Gridinoc (laurian_at_gmail.com)
Date: 09/13/05

  • Next message: A A: "Re: MS05-039" 
    Date: Tue, 13 Sep 2005 02:54:07 +0300
To: Lincoln Yeoh <lyeoh@pop.jaring.my>

    Hello,

    On 9/10/05, Lincoln Yeoh <lyeoh@pop.jaring.my> wrote:
    > Background:
    > A number of sites allow minimally controlled 3rd parties to post links to
    > images which other 3rd parties can view, and the only filtering used is
    > some pattern matching to ensure that a url has the "correct" extension.

    Wrong approach, URLs are opaque, the application should send a HEAD
    request to the URL in order to get a mime type and validate it.
     
    > However such filtering has problems if the "image" url actually redirects
    > to a url to a target site that does some naughty stuff.

    Two cases,

    1. mime type mismatch -- if you have an <img src="foo.jpg"> and at
    the src URL you get anything but not image/* mime type, the browser
    would not render anything, nor redirect you there -- Netscape
    Communicator had some issues with this.

    2. triggering unwanted actions by URL, as you pointed out:

    > http://tinyurl.com/aqxq8/foo.jpg
    > Goes to
    > http://mail.google.com/mail/?logout&test=/foo.jpg
    > Which seems to log one out of google mail :).

    Which shows that Gmail (which I use to write this email) is badly
    designed, logout should be used via a POST only...

    And here let's blame cookies again... if the session would be in the
    URL, you won't be able to guess the session id of your target...
     
    > Some url shortening pages send a metarefresh page instead, which helps
    > prevent them being abused in this way, but of course it means users of such
    > services have to wait or make an additional click.
     
    And the metarefresh is intended for user-agents that know or expect text/html.
     
    The issue is interesting, there are a lot of webapplications that
    break the semantics of GET, and a lot of other webapplications allow
    displaying images from other domains... what to fix?

    I think that it would be easier to fix the issue in the browser, to
    have browsers not use cookies over a redirect? (thinking only at
    session related scenarios)

    Cheers, 

    -- 
Laurian Gridinoc, www.grapefruit.ro
  • Next message: A A: "Re: MS05-039"

    Relevant Pages

    • Re: Do we really need "look at my pictures" updates here?
      ... group, but an equipment group. ... What is welcome is to post links to images related to an equipment issue. ... photos, plenty of room here for a few links to photos. ...
      (rec.photo.digital.slr-systems)
    • Re: Trying to find a lost family in 1901 and 1911 census
      ... Since Judy sent images it was appropriate for her to ... or upload the images to photobucket and post links to them on the ... JUDY ELKINGTON ...
      (soc.genealogy.britain)
    • Re: Thank you all very much.
      ... Don't post links on Usenet? ... Use thumbnails rather than large images. ... screen shot a word processing program so the users can read the word ... It can help the user out by not making him wait for the images to load ...
      (rec.woodworking)
    • Re: Do we really need "look at my pictures" updates here?
      ... group, but an equipment group. ... Just posting images for images sake is somewhat, ... for example if a certain individual who avoids posting altogether would post links to his images they would be particularly welcome. ...
      (rec.photo.digital.slr-systems)
    • FS: Collins SC-101 and 68Y-1
      ... I have many images available, which I will send to seriously interested ... parties. ... Prefer not to ship, can meet buyer within 200 miles of Hartford, CT. ...
      (rec.radio.amateur.boatanchors)