actually all sarcasm is appreciated ;)
at least, I got a laugh.
I am learning/experimenting with ways to add DRM to movies.
Why:
My script, makeMoviePlaylist.php, is calling the script, brain.php,
to build the movies to send to QuickTime
I wanted to prevent the user from directly accessing this 'brain' php
script [located outside the web folder] by sending variables to the
main php script, makeMoviePlaylist.php.
What happens when a movie is requested:
My movies ARE NOT accessed directly. They are located outside the web
folder.
To get each movie, the main php scrip, makeMoviePlaylist.php, is
calling another php script, brain.php, located outside the web folder.
This 'brain' script freads these movies directly into the Quicktime
Plugin/Player.
The 'theory' is:
This succeeds:
The script , makeMoviePlaylist.php, is calling itself on the server
with makeMoviePlaylist.php?cmd=getmovie&path=encrypted_path_to_the_movie
The script, makeMoviePlaylist.php, accepts the request because it
originated from ITSELF on the server...
This fails:
This request was sent from OUTSIDE the server. The main script,
makeMoviePlaylist.php, realizes the this request did not originate
from itself on the server
http://www.myserver.scripts/makeMoviePlaylist.php?
cmd=getmovie&path=encrypted_path_to_the_movie
So, if the user tried to access an individual movie by sending a
url to the browser....the whole thing would fail...because the
request was coming from the user's computer...not from the server.
Is this even possible ?
my grasp of this is a bit shaky so any help is appreciated
g
On Oct 24, 2005, at 12:39 PM, Jochem Maas wrote:
...
Problem:
if the users does this:
curl -l -i "http://www.myserver/scripts/makeMoviePlaylist.php?
cmd=makesmil"
From the above curl'd output, entering the below url into a
browser will get the movie:
http://www.myserver/scripts/makeMoviePlaylist.php?
cmd=getmovie&path=wb1v2x9hApqFwTHhG5tSJlVp9bGi8glguo+gC565a5o="
thats what its supposed to do isn't it?
under what conditions is someone allowed to grab the movie?
and when are they not allowed?
why is it important that you control whether they use a browser,
a canopener or sone microsoft software to download?
is this possible to prevent ? Or is there a better approach?
approach to what? what is your goal (what are the requirements)?
This stuff is making my head spin a bit...
not to worry soon the walls will be closing in ;-)
I am learning aspects of security so any help is appreciated.
many thanks:)
g
This the output from:
curl -l -i "http://www.myserver/scripts/makeMoviePlaylist.php?
cmd=makesmil"
ETag: 253bd3c0260c47ad994857992e073682
Accept-Ranges: bytes
Content-Length: 5132
Content-Type: application/smil
<smil xmlns:qt="http://www.apple.com/quicktime/resources/
smilextensions"
qt:time-slider="true"
qt:chapter-mode="clip"
qt:immediate-instantiation="false"
qt:autoplay="true">
<head>
<meta name="base" content="http://www.myserver/scripts/" />
<meta name="full-name" content="Commercial Reel 2005"/>
<meta name="name" content="Commercial Reel 2005"/>
<meta name="copyright" content="2005"/>
<meta name="author" content="Graham Anderson"/>
<layout>
<root-layout id="main" title="Commercial Reel 2005" left="0" top
="0" width="352" height="208" background-color="black"/>
<region id="firsttrack" z-index="1" left="0" top ="0" width =
"352" height = "208" background-color="black"
qt:attach-timebase="true" qt:immediate-instantiation="false"
qt:autoplay="true" qt:time-slider="true" qt:chapter-mode="clip" />
<region id="siren" z-index="1" left="0" top ="0" width="352"
height="208" fit ="fill" background-color="black"
qt:time-slider="true" qt:attach-timebase="true"
qt:autoplay="true" qt:chapter-mode="clip"
qt:immediate-instantiation="false" />
<region id="drm" z-index="3" left="0" top ="0" width = "352"
height = "208" background-color="black"
qt:attach-timebase="false" qt:immediate-instantiation="false"
qt:autoplay="false" qt:time-slider="false"/>
</layout>
</head>
<body>
<switch>
<par system-bitrate="768000">
<!--for T1 and faster-->
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=zSbG5zDpCJiqc2mbIunOjkw35wn2Q+saBlJZbaXmYUI="
region="drm" duration="indefinite"/>
<seq>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=wb1v2x9hApqFwTHhG5tSJlVp9bGi8glguo+gC565a5o="
region="firsttrack" qt:chapter="levis: crazy legs"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=wHvUoTrGxSW7C8uHjo7hHWLh9hJdvL0hVNx9hoUX3zM="
region="siren" qt:chapter="adidas: the game"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=pGUsQZ5nfQtuysSgiTdHyvHdoY1hyA+rio/tbM9sSsA="
region="siren" qt:chapter="boeing: freedom"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=saCzqVi4h08ikgSBUcLjUjwHxzh9DL5Wib0d0dKi3mo="
region="siren" qt:chapter="yamaha: mama said"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=MqOqXo89l9O012WsrvZIVHLKfZx6mo4fqCcez2GvKlA="
region="siren" qt:chapter="gmc: sliding roof"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=2j53xedyHmUM2uSxWlxg2LqDDk+b7/kkIDKigEdYdp0="
region="siren" qt:chapter="nokia: color adjustment"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=Um2ysEtdgslrEyYZNaPU/KJD6MfTSKXH/HRRqOwj5ug="
region="siren" qt:chapter="bmw: drive"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=gPx1sdVxgYRgjCmX0V6WDVqPG/crkySweYrY/tXkrU0="
region="siren" qt:chapter="guinness: taste"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=MajLzma9FRxXFuxYS9YwCuJtxCRIpkaMNDx3CMrXgyA="
region="siren" qt:chapter="apple: ellen feiss"/>
<video src="makeMoviePlaylist.php?cmd=getmovie&path=LU/xHFq/
8jHGfn2gWDPDycW9CaQW55gjzP4sTXvwrAg=" region="siren"
qt:chapter="playstation: joan"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=ZmT4A6kfPIg7tFc6zUVYRznT89czwdXA9hjgn3Erehg="
region="siren" qt:chapter="pentax: hey"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=iUMIIycwZ0QzJVUtUI +N3glwgfAXPTgFq+mbmXS5vOo="
region="siren" qt:chapter="nike: dreams"/>
</seq>
</par>
<par system-bitrate="512000">
<!--56k modems-->
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=zSbG5zDpCJiqc2mbIunOjkw35wn2Q+saBlJZbaXmYUI="
region="drm" duration="indefinite"/>
<seq>
<video src="makeMoviePlaylist.php?cmd=getmovie&path=5qRrKwWbemaOh5
+ +SOgv5SRshkpGTuvW5cIyRN9EWQM=" region="firsttrack"
qt:chapter="levis: crazy legs"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=FzWapZbGt1YkCGKiB +fmlGftup5K8nYl6yVUTG+l+7c="
region="siren" qt:chapter="adidas: the game"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=Q3gUP0pHVYYjsmCUn2PqMPTOwsqH/x4TbPJbwmEm9yc="
region="siren" qt:chapter="boeing: freedom"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=4OQkZQNgbKWnJcZKA0Dwu9blaufGr9nrMemtfykVNK8="
region="siren" qt:chapter="yamaha: mama said"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=SjXVxuW7miYu0djHcpXX2xSk/hpoxPnCmFhoiGJ2Zlc="
region="siren" qt:chapter="gmc: sliding roof"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=X3LbGKCtMcK5q3uhQpzEy4YNNaRwezXqS8qHx/KXC64="
region="siren" qt:chapter="nokia: color adjustment"/>
<video src="makeMoviePlaylist.php?
cmd=getmovie&path=EPCybK7ipcFMAhj7Lkejc+OWulQVwNDZlLA8sFDRFt0="
region="siren" qt:chapter="bmw: drive"/>
<video src="makeMoviePlaylist.php?cmd=getmovie&path=R9
+mtBsHiUiPvn5hw8PbcTVu9Zy5I7BnhPIeiT2wGPA=" region="siren"
qt:chapter="guinness: taste"/>
<video src="makeMoviePlaylist.php?cmd=getmovie&path=N/
bnlupKzblackF +x4ZDedx8LyOn62vjGvI8uMBR648=" region="siren"
qt:chapter="apple: ellen feiss"/>
<video src="makeMoviePlaylist.php?cmd=getmovie&path=gy8lEzyB
+hbyfZqgTEC/hwjJCuBSZObz2k1lkzl2x38=" region="siren"
qt:chapter="playstation: joan"/>
<video src="makeMoviePlaylist.php?cmd=getmovie&path=mnI7NPIv
+UUdj9bjBXskipg40IBLjRdeDYDRepdMiBQ=" region="siren"
qt:chapter="pentax: hey"/>
<video src="makeMoviePlaylist.php?cmd=getmovie&path=c9crwb4Ss
+xcups9lnvEg+TVX5Duf6+3jPNq3vciSnU=" region="siren"
qt:chapter="nike: dreams"/>
</seq>
</par>
</switch>
</body>
</smil>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php