 | | | More DCR "theft " naughtiness | More DCR "theft " naughtiness 2003-12-11 - By Robert Tweed
Back
-- -- Original Message -- --
From: "duck" <ben@(protected)>
>
> ...
> However - it appears to still be possible to embed dcrs remotely, even if
> this check is performed, because of the html tag <BASE>
>...
> Any ideas how to detect and prevent this method?
Hmm, interesting, although I've heard of it, I've never used the BASE tag,
so I don't know a lot about it. The only thing I can think of right now,
which I do not know for absolute certain whether it works or not, is using
Apache mod_rewrite to redirect all your DCR files to a "this is stolen" DCR
when the HTTP referer [sic] header does not come from your domain.
This is the one technique that has not yet been discussed on this list as
far as I can remember, although I brought it up a while ago in one of the
newsgroups. Unfortunately I did not follow it up at all, so I can't say for
certain how effective it is.
I don't know of anyone who has actually tried it and all I did was look up
the docs to see if it could be done in theory, which it can. I also don't
know if the BASE tag causes the simlar problems with the referer header,
although I suspect it does not. This is a far more complicated solution to
set up, but should offer much more robust protection.
Ben, you'd probably be in the best position to try something like this,
because mod_rewrite cannot be installed on shared hosting accounts unless it
has already been installed by the HSP (which is highly unlikely). Since you
have root on your own server, you can try installing it yourself. My own
hosting is on a virtual server, so I don't actually know if I can install
mod_rewrite on it or not, I haven't had a chance to try it (and didn't
bother researching the method any further after the externalParam check
technique was pointed out as it appeared to do the same thing).
Also, it /may/ be possible to emulate mod_rewrite with PHP - you could have
a PHP file that returns the correct MIME headers for a DCR and includes
either the real DCR or the stolen DCR, depending on the referer. However,
Internet Explorer is notoriously bad a handling MIME types correctly if it
does not recognise the file type, so I don't know if using a PHP file as the
object src is a good idea. Still, you could also force Apache to associated
.dcr files with PHP though very easily, however it seems like a potentially
heavy-handed way to deal with the problem and could cause issues if you
forget to put the PHP wrapper around any of your DCR files. One
middle-ground solution might be to have a protected games directory that
uses .htaccess to associate PHP with DCR, only in that directory. I might
have a go at this solution myself later today if I get a chance.
- Robert
__ ____ ____ ____ ____ ____ ____ ____ ____ ____
dirGames-L mailing list - dirGames-L@(protected)
http://nuttybar.drama.uga.edu/mailman/listinfo/dirgames-l
Earn $52 per hosting referral at Lunarpages.
|
|
|