Skip to main content
Topic: Questions to the Administrator (Read 99104 times)

Re: Questions to the Administrator

Reply #150
Oops.
No, this I just wanted to sharpen my apprehension of the conceptual structurality. (What did I just say? ???)

Re: Questions to the Administrator

Reply #151
From a user perspective, probably something as close to:
Code: [Select]
[video user-params]URL[/video]

as possible, it makes it easy to do by hand, copy/paste URL, wrap it in video markup and done (user parametres should be optional, possibly disallowed).

The problem is on the server side. Before I joined Opera (and in the first years thereafter), I was a great fan of the object element, it slices, it dices. Now, not so much. It easily becomes a headache. If you allow a user to insert an object, it could be anything, especially if the parser is lax.

The SkyscraperCity approach (above) is user unfriendly in that the video tag is hidden and it only allows the poster to enter a Youtube ID, which I haven't checked, but seems to match [a-zA-Z0-9_-] with a typical length of 10 characters (would be reasonable to assume 6-16 characters). Anything else wouldn't be a Youtube ID. However they have several different URL syntaxes for the same ID. A script could be friendly to allow URL syntaxes, but only if they explicitly follow those syntaxes. As you may remember My Opera only allows one (the old v=...), and not the one that Google promotes for sharing.

So I would either recommend to use an existing script that is regularly checked for exploits by competent people, or use one which allows as little as possible (and only safe strings).
 

Re: Questions to the Administrator

Reply #154
Quote from: Frenzie on
......It supports these two styles of links....


Very good. I'm glad you made accommodation for both styles.
It's easier for me because I make some of my own videos on youtube, & that will cut out initial url conversion.

                        
[VIDEO]http://www.youtube.com/watch?v=dpWEv9Q0XQ4 [/VIDEO]



Re: Questions to the Administrator

Reply #155
[video]https://youtu.be/Q8y8Yab9vlQ[/video]
[video]http://blackhat.com/tag/you/are/it[/video]
[video]http://youtu.be/">[/video]

Seems fine (though you also support the https scheme).

Re: Questions to the Administrator

Reply #156
The actual range of URLs from which a YouTube ID will be successfully extracted is a bit larger and more forgiving. For instance, it'll also work without any protocol or without www, but let's call that undocumented functionality. ;)

Re: Questions to the Administrator

Reply #157
Better than My Opera (which breaks on https:). Relative/absolute URLs are no security issue (assuming your expectation of what a relative URL will resolve to isn't completely out of kilter), everything is based on resolved absolute URLs anyway.

As long as no untowards code can be injected in the published code, it's OK.

Re: Questions to the Administrator

Reply #158
Since characters &, ", and > are explicitly excluded , the worst that should be able to happen is that someone posts a video that doesn't actually work. Like you said the alternative is to explicitly include certain characters only, along the lines of [a-zA-Z0-9_-]{6,16}, but I figure that's less future proof.

Some other potentially useful options:

       
  • HTML5: URL ends in .webm; perhaps instead or in addition something like [video=html5]http://url[/video]. Is this problematic on account of hotlinking? There's also the obvious [audio] counterpart.

    •    
  • Vimeo: Seems to have decent videos.

    •    
  • Metacafe: I'm not sure.



My Opera supports several others I've never heard of.

Re: Questions to the Administrator

Reply #159
I think it is always a healthier approach to whitelist (list what you allow) rather than blacklist (list what you don't allow). Future proof in my book is to proof against future exploits, not to proof against future syntax changes. Both will come, but the former is more devastating. (OTOH the latter could be more work intensive if there is a lot of syntax changes). As long as the next script in the chain knows what it can get from the previous and behaves appropriately, it should work out, but if what it can expect is anything, there could be a lot of things to consider.

E.g. the null byte \0 terminates strings, is a syntax error in XML, and in HTML as well. There is a class of exploits appending \0 where you don't expect it, e.g. inside an URL. With a little luck it could interrupt the script parsing the URL and dump the rest of the string after \0 unchanged.  This is probably OK, but what about the next exploit we haven't thought of?

Re: Questions to the Administrator

Reply #160
As an aside, \w is the same as a-zA-Z0-9_. So if your description of YouTube IDs is correct, it'd suffice (although be potentially less clear) to write [\w-]{6,16}.

Anyway, the Simple Machines people seem to consider the automatic encoding and such sufficiently secure. That is, there seems little point in having the video code more secure than the image code, although I do like the suggested change to the regex.

Re: Questions to the Administrator

Reply #162
Video in itself should be safe, at least on the weekdays Adobe Flash don't have an exploit. The 'video' tag should thus be safer than 'iframe' which should be safer than 'object' (which is usually implemented as iframe++). (In principle 'video' shouldn't be worse than 'img') All these tags are safe in themselves (unless you mind that they are enabling a GET request outside your domain, but then again, so does [img]), but the scope for trouble if something goes wrong is greater.

Re: Questions to the Administrator

Reply #163
Just to be clear, the iframe is constructed as
Code: [Select]
<iframe src="//www.youtube.com/embed/>>>extracted YouTube ID goes here<<<">


The img is constructed as
Code: [Select]
<img src="basically anything that starts with http(s)://">


In both cases something like urlencode is used to further secure the entered data.

Anyway, what I mean is that unless I'm mistaken, either YouTube will 404 or you'll have "><script>evilFunction();</script> regardless of whether someone tried to use IMG or VIDEO. That being said, I'll exchange the relevant part of the regex with [\w-]{6,16} just in case.

Any opinions on Vimeo or other sites?

Re: Questions to the Administrator

Reply #164
I'm sorry for so many questions, even if much less than Josh's posts, what is the My Bookmarks thing for?
Does anyone wants to bookmark something at DnD?? my posts? rjhowie's? what?

KISS. :)
A matter of attitude.

Re: Questions to the Administrator

Reply #165
Bookmarks = Greatest thing since sliced bread for keeping an eye on threads you take part in, similar to 'Subscriptions' in MyOpera.

Bookmarks is my base 'Homepage' in DnD.

If there was any recent activity on any of my bookmarked threads, I can click on the 'New' icon, & I'm teleported to that 'newest' thread post just like the 'Envelope' icon did in the 'Subscriptions' page in MyOpera.

Re: Questions to the Administrator

Reply #166
Quote from: SmileyFaze on
Bookmarks = Greatest thing since sliced bread for keeping an eye on threads you take part in, similar to 'Subscriptions' in MyOpera.

Well... I like to see threads I take part and threads I haven't post but I'm curious about.
Some times I even prefer the threads I never posted...

Thanks anyway, I'll use it for a couple threads I have in mind.
A matter of attitude.

Re: Questions to the Administrator

Reply #167
Quote from: Belfrager on
I like to see threads I take part and threads I haven't post but I'm curious about.
Some times I even prefer the threads I never posted...


Ditto ....... I do exactly the same, but for those I search the forums manually, & if one of those excites me, I bookmark it.

If in time the interest wanes, I'll just remove it from my bookmark page .... it's so simple & easy  .... & if during a future manual search I again want to follow it's activity, I can just re-instate it on my bookmarks page at my pleasure.

Re: Re: 21st century architecture

Reply #169
I regularly receive links to fairly interesting Vimeo videos, albeit the performance impact seems worse than YouTube.

Re: Questions to the Administrator

Reply #170
Quote from: Frenzie on

I regularly receive links to fairly interesting Vimeo videos, albeit the performance impact seems worse than YouTube.


@Frenzie

Just for our (my) information, what is the actual impact/breakdown on the system for say a {video}{/video} tagged  3mb youtube video in one of our posts?

Does the system get bagged for the 3mb video, just the size of the visible image, or both?

Also, what is the forum performance impact, if any?

Naturally the tagging uses different brackets, but as you know the actual tag can't be displayed outside of a CODE tag.

Thanks

Re: Questions to the Administrator

Reply #173
Quote from: SmileyFaze on
Just for our (my) information, what is the actual impact/breakdown on the system for say a {video}{/video} tagged  3mb youtube video in one of our posts?

Does the system get bagged for the 3mb video, just the size of the visible image, or both?

In both cases there's a bunch of JS, a Flash player, and a screenshot. So at least the first time it should use something like three to five times as much bandwidth as a simple screenshot, but I imagine every part of that except the differing screenshot will be cached.

I was just talking about playing the video. :) Vimeo uses more CPU for me.

Quote from: SmileyFaze on
Also, what is the forum performance impact, if any?

Probably negligible.

Re: Questions to the Administrator

Reply #174

Quote from: Frenzie on
In both cases there's a bunch of JS, a Flash player, and a screenshot. So at least the first time it should use something like three to five times as much bandwidth as a simple screenshot, but I imagine every part of that except the differing screenshot will be cached.


Thanks for the info