On Sat, Apr 02, 2005 at 11:16:36PM +1200, zcat wrote:
> There's probably a better way of doing this (and I intend to use
> snowdrop rather than wrjgpcom eventually) but here's what I have so far,
> which seems to work!!
>
> Comments?
>
> .htaccess:
> ReWriteEngine On
> ReWriteRule \.jpg watermark.php
First off, I'd suggest:
RewriteEngine on
RewriteRule \.jpg$ watermark.php [L]
...just to clean it up a bit.
Second, I assume that this:
> watermark.php
> <?php
> header("Content-type: image/jpg");
> $ip = $_SERVER['REMOTE_ADDR'];
> $img = $_SERVER['REQUEST_URI'];
> passthru("wrjpgcom -comment \"downloaded from
> http://zcat.wired.net.nz/ by $i
> ?>
..got truncated when you pasted it in, since '$img' (and a closing
paren for the passthru() function) is missing. I've not delved too
deeply into testing this, but you're passing $_SERVER['REQUEST_URI'],
which is user-supplied (read: untrusted) data to an external program
which is specifcally warned against in the passthru() documentation
(http://us3.php.net/manual/en/function.passthru.php). That documentation
has recomendations for how to deal with untrusted data; another
possibility would be to pass $img through a regex to ensure that only
allowed characters are passed. [a-zA-Z0-9-\.] would be a decent starting
point, although may not be complete, depending on the filesnames you're
using.
--n
--
<huey> dd of=/dev/fd0 if=/dev/flippy bs=1024
<huey> ^^^ Making Flippy Floppy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|