php curl vs browser

littlejam

Joined: 2010-06-04
Posts: 6

Posted: Wed, 2010-06-23 07:56

Hello,

when I'm trying to access a gallery-file with curl I get an security violation error...
curl.php:

$fileurl = "example.com/main.php?g2_view=core.DownloadItem&g2_itemId=1234&g2_serialNumber=2&g2_GALLERYSID=12345678901234567890123456789012"
$ch = curl_init();

        // set url
        curl_setopt($ch, CURLOPT_URL, $fileurl);

        // connect and dump result to screen
        curl_exec($ch);

        // close curl resource to free up system resources
        curl_close($ch);

Running the script results in the following error:

Type 	Gallery Error
Location 	http://example.com/main.php?g2_view=core.DownloadItem&g2_itemId=1234&g2_serialNumber=2&g2_GALLERYSID=12345678901234567890123456789012
User Id 	5
Client 	123.123.123.123
Zusammenfassung 	user id: 5 doesn't have permission: core.viewSource for item id: 1234
Referer 	null
Details 	 Error (ERROR_MISSING_OBJECT, ERROR_PERMISSION_DENIED) : user id: 5 doesn't have permission: core.viewSource for item id: 1234 in modules/core/classes/helpers/GalleryUserHelper_simple.class at line 47 (GalleryCoreApi::error) 
in modules/core/classes/GalleryCoreApi.class at line 550 (GalleryUserHelper_simple::assertHasItemPermission) 
in modules/core/DownloadItem.inc at line 222 (GalleryCoreApi::assertHasItemPermission) 
in modules/core/DownloadItem.inc at line 84 (DownloadItemView::_assertPermissions) 
in main.php at line 450 (DownloadItemView::renderImmediate) 
in main.php at line 104
in main.php at line 88

Request variables: Array
(
    [view] => core.DownloadItem
    [itemId] => 1234
    [serialNumber] => 2
    [GALLERYSID] => 12345678901234567890123456789012
)

However the exact same URL entered in a browser-window results in downloading the correct file including the correct filename and filesize.

The curl-command works also with unprotected files so this might be a security issue.
UserId 5 is the guest user, in this case it should have been the admin-user.
I've already tried different approaches with setting cookies for GALLERYSID but nothing worked so far.

Can someone point me in the right direction?

Greets
littlejam

alecmyers

Joined: 2006-08-01
Posts: 4342

Posted: Wed, 2010-06-23 08:33

Quote:

Can someone point me in the right direction?

Yes.

The SID refers to a session, and is only valid temporarily, and for a given browser/ip address combo. In this case your SID isn't valid for that request. SID's are not transferable. G2 is designed to be queried by browsers which maintain session via the cookie (which is the normal way for the SID to be returned) and not by things like curl. You can't copy a SID from a browser url and expect it to work anywhere else.

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Wed, 2010-06-23 11:06

You can view gallery items externally using the ImageBlock module as well as my mediaBlock.
An example of curl usage w/ mediaBlock here.

You can also embed Gallery2 into your site with my easy embed tool.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

alecmyers

Joined: 2006-08-01
Posts: 4342

Posted: Wed, 2010-06-23 11:12

@suprsidr: does ImageBlock/curl work for images that require a login/password to view? The core.DowloadView method will also work, if images are not protected.

littlejam

Joined: 2010-06-04
Posts: 6

Posted: Wed, 2010-06-23 11:17

alecmyers wrote:

The SID refers to a session, and is only valid temporarily, and for a given browser/ip address combo. In this case your SID isn't valid for that request. SID's are not transferable. G2 is designed to be queried by browsers which maintain session via the cookie (which is the normal way for the SID to be returned) and not by things like curl. You can't copy a SID from a browser url and expect it to work anywhere else.

Thanks for the quick answer.

If I can't use the SID for my curl-request then how can I do it otherwise.

The idea is to enable progressive streaming with flash files in G2.
It already works with files that are world-accessible.
My hope is to make it work also with protected files without any hacks around the G2 security system.

Greets
littlejam

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Wed, 2010-06-23 11:21

I actually have a file that was for streaming flv based on xmoov if you are interested.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

alecmyers

Joined: 2006-08-01
Posts: 4342

Posted: Wed, 2010-06-23 11:27

Quote:

My hope is to make it work also with protected files without any hacks around the G2 security system.

If you think about it, you'll see that's going to be tricky, as a matter of definition. The G2 security system is built to prevent access to files to other than browser sessions with authenticated credentials as a user for whom permissions allow access to that file - that's what it does. How then could you have anonymous streaming of a protected file? If you could, it wouldn't be protected.

littlejam

Joined: 2010-06-04
Posts: 6

Posted: Wed, 2010-06-23 11:51

Thanks suprsidr I'll have a look into it.
How do I use it?

alecmyers wrote:

If you think about it, you'll see that's going to be tricky, as a matter of definition. The G2 security system is built to prevent access to files to other than browser sessions with authenticated credentials as a user for whom permissions allow access to that file - that's what it does. How then could you have anonymous streaming of a protected file? If you could, it wouldn't be protected.

Yes you are right with that.

Maybe suprsidrs approach is the better one.
I'll try to add seeking capability.

greets
littlejam

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Wed, 2010-06-23 12:00

place in your gallery's root directory
point your flash video player to yoursite.com/gallery2/mediaStreamer.php?g2_itemId=150
where 150 is the id of your flv

at one time I had variables for pseudo streaming scrubbing/queuing but lost interest and removed them.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

littlejam

Joined: 2010-06-04
Posts: 6

Posted: Wed, 2010-06-30 12:27

Ok, seeking is now possible.
However there is no security at this point so there is some more coding that have to be done.
I'm crawling through the g2-api for the right calls. Hints are welcome ;-)

The script works with JWPlayer (v. 4.5).
It must be placed into the modules/flashvideo/lib-directory of G2.
The flashvars should look somehow like this...

there would be some code inside this if the spamfilter would accept it 

type=http
streamer=url to mediaStreamer.php
file=g2_itemId.g2_serialNumber.g2_GALLERYSID

It is important that the file-parameter consists of more than the g2_itemId (more precisely: more than only numbers) otherwise the JWPlayer throws an error which can only be avoided by changing and recompiling the player itself.
I added g2_serialNumber and g2_GALLERYSID divided by dots; at the moment these are of no other purpose than preventing JWPlayer from failing.

<?php
// +---------------------------------------------------------------------------+
// | mediaStreamer.php [v.0.1]                                                 |
// +---------------------------------------------------------------------------+
// | Copyright (C) 2009 Wayne Patterson [suprsidr@flashyourweb.com]            |
// +---------------------------------------------------------------------------+
// |                                                                           |
// | This program is free software; you can redistribute it and/or             |
// | modify it under the terms of the GNU General Public License               |
// | as published by the Free Software Foundation; either version 2            |
// | of the License, or (at your option) any later version.                    |
// |                                                                           |
// | This program is distributed in the hope that it will be useful,           |
// | but WITHOUT ANY WARRANTY; without even the implied warranty of            |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             |
// | GNU General Public License for more details.                              |
// |                                                                           |
// | You should have received a copy of the GNU General Public License         |
// | along with this program; if not, write to the Free Software Foundation,   |
// | Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.           |
// |                                                                           |
// +---------------------------------------------------------------------------+
// TODO:

    /* Connect to gallery */
    function init() {
	require_once ('../../../embed.php');
	$ret = GalleryEmbed::init();
	if ($ret) {
	    print 'GalleryEmbed::init failed, here is the error message: '.$ret->getAsHtml();
	    exit ;
	}
	GalleryEmbed::done();
    }
	
    function flvStream($item) {
	global $gallery;
	list ($ret, $parent) = GalleryCoreApi::loadEntitiesById($item->parentId, 'GalleryItem');
	if ($ret) {
	    print 'Error loading parent, here is the error message: '.$ret->getAsHtml();
	    exit ;
	}
	list ($ret, $startPath) = $parent->fetchPath();
	if ($ret) {
	    print 'Error fetching startPath, here is the error message: '.$ret->getAsHtml();
	    exit ;
	}
	$fileName = $item->getPathComponent();
	$file = $startPath.$fileName;
	
	$fh = fopen($file, 'rb') or die ('<b>ERROR:</b> could not open ('.$fileName.')');
	$fileSize = filesize($file);
	
	if ($item->getMimeType() == 'video/x-flv') {
	    header("Content-Type: video/x-flv");
	    header("Content-Disposition: attachment; filename=\"".$fileName."\"");
	    header("Content-Length: ".$fileSize);

	// FLV file format header
	if($_REQUEST['start'] != 0) 
		{
	               print('FLV');
	               print(pack('C', 1));
	               print(pack('C', 1));
	               print(pack('N', 9));
	               print(pack('N', 9));
	       	}
		
	// seek to requested file position
	fseek($fh, $_REQUEST['start']);

	    while (!feof($fh)) {
	        print (fread($fh, filesize($file)));
	    }
	} else {
	    print 'Wrong mimeType';
	    exit ;
	}
    }

        if ( isset ($_REQUEST['file'])){
        list($file, $g2_serialNumber, $g2_GALLERYSID)=split('\.', $_GET['file']);
        $_REQUEST['g2_itemId']=$file;
        }
	
	init();


	if ( isset ($_REQUEST['g2_itemId'])) {
	    list ($ret, $item) = GalleryCoreApi::loadEntitiesById($_REQUEST['g2_itemId'], 'GalleryMovieItem');
	    if ($ret) {
	        print "Error loading initial item:".$_REQUEST['g2_itemId'].":".$ret->getAsHtml();
	    }
	    flvStream($item);
	}

?>

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Wed, 2010-06-30 12:01

Yup, I originally had the seek in there, but found not one of my videos has the proper keyframes even ones I encoded w/ Adobe's media encoder - so I lost interest.
I left out permissions for a specific app I built, but the following should work before we bother loading the item:

    init();
    if (isset($_REQUEST['g2_itemId'])) {
        /* Make sure we have permission to view this item */
        $ret = GalleryCoreApi::assertHasItemPermission($_REQUEST['g2_itemId'], 'core.viewSource');
        if ($ret) {
            print "Permissions Error for item: ".$_REQUEST['g2_itemId'].":".$ret->getAsHtml();
            exit;
        }
        list($ret, $item) = GalleryCoreApi::loadEntitiesById($_REQUEST['g2_itemId'], 'GalleryMovieItem');
        if ($ret) {
            print "Error loading initial item:".$_REQUEST['g2_itemId'].":".$ret->getAsHtml();
            exit;
        }
        flvStream($item);
    }

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

littlejam

Joined: 2010-06-04
Posts: 6

Posted: Wed, 2010-06-30 12:23

Thanks a lot suprsidr.
The script works now as expected :-D

suprsidr wrote:

Yup, I originally had the seek in there, but found not one of my videos has the proper keyframes even ones I encoded w/ Adobe's media encoder - so I lost interest.

You might wish to read this...
http://www.orlandmedia.com/blog/adobe-flash/choosing-a-flash-video-format-for-pseudostreaming/

It only works good and simple with .flv-files.
Even if you encode with AME you have to insert the metadata with another tool.
I used flvtool2.exe

flvtool2.exe -U C:\myclip.flv

This adds the metadata.
After that you can upload the file into g2 and seek to any point in the clip.

Greets

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Wed, 2010-06-30 12:38

I may play with this again, I had added the necessary seek functionality to my E2 player.
If you send me your working copy w/ FlashVideoRenderer.class I'll update my mediaStreamer download w/ your updates for anyone else who is interested.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

littlejam Joined: 2010-06-04 Posts: 6	Posted: Wed, 2010-06-23 07:56
	Hello, when I'm trying to access a gallery-file with curl I get an security violation error... curl.php: $fileurl = "example.com/main.php?g2_view=core.DownloadItem&g2_itemId=1234&g2_serialNumber=2&g2_GALLERYSID=12345678901234567890123456789012" $ch = curl_init(); // set url curl_setopt($ch, CURLOPT_URL, $fileurl); // connect and dump result to screen curl_exec($ch); // close curl resource to free up system resources curl_close($ch); Running the script results in the following error: Type Gallery Error Location http://example.com/main.php?g2_view=core.DownloadItem&g2_itemId=1234&g2_serialNumber=2&g2_GALLERYSID=12345678901234567890123456789012 User Id 5 Client 123.123.123.123 Zusammenfassung user id: 5 doesn't have permission: core.viewSource for item id: 1234 Referer null Details Error (ERROR_MISSING_OBJECT, ERROR_PERMISSION_DENIED) : user id: 5 doesn't have permission: core.viewSource for item id: 1234 in modules/core/classes/helpers/GalleryUserHelper_simple.class at line 47 (GalleryCoreApi::error) in modules/core/classes/GalleryCoreApi.class at line 550 (GalleryUserHelper_simple::assertHasItemPermission) in modules/core/DownloadItem.inc at line 222 (GalleryCoreApi::assertHasItemPermission) in modules/core/DownloadItem.inc at line 84 (DownloadItemView::_assertPermissions) in main.php at line 450 (DownloadItemView::renderImmediate) in main.php at line 104 in main.php at line 88 Request variables: Array ( [view] => core.DownloadItem [itemId] => 1234 [serialNumber] => 2 [GALLERYSID] => 12345678901234567890123456789012 ) However the exact same URL entered in a browser-window results in downloading the correct file including the correct filename and filesize. The curl-command works also with unprotected files so this might be a security issue. UserId 5 is the guest user, in this case it should have been the admin-user. I've already tried different approaches with setting cookies for GALLERYSID but nothing worked so far. Can someone point me in the right direction? Greets littlejam
	XUser login Username: * Password: * Create new account Request new password
alecmyers Joined: 2006-08-01 Posts: 4342	Posted: Wed, 2010-06-23 08:33
	Quote: Can someone point me in the right direction? Yes. The SID refers to a session, and is only valid temporarily, and for a given browser/ip address combo. In this case your SID isn't valid for that request. SID's are not transferable. G2 is designed to be queried by browsers which maintain session via the cookie (which is the normal way for the SID to be returned) and not by things like curl. You can't copy a SID from a browser url and expect it to work anywhere else.

suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Wed, 2010-06-23 11:06
	You can view gallery items externally using the ImageBlock module as well as my mediaBlock. An example of curl usage w/ mediaBlock here. You can also embed Gallery2 into your site with my easy embed tool. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

alecmyers Joined: 2006-08-01 Posts: 4342	Posted: Wed, 2010-06-23 11:12
	@suprsidr: does ImageBlock/curl work for images that require a login/password to view? The core.DowloadView method will also work, if images are not protected.

littlejam Joined: 2010-06-04 Posts: 6	Posted: Wed, 2010-06-23 11:17
	alecmyers wrote: The SID refers to a session, and is only valid temporarily, and for a given browser/ip address combo. In this case your SID isn't valid for that request. SID's are not transferable. G2 is designed to be queried by browsers which maintain session via the cookie (which is the normal way for the SID to be returned) and not by things like curl. You can't copy a SID from a browser url and expect it to work anywhere else. Thanks for the quick answer. If I can't use the SID for my curl-request then how can I do it otherwise. The idea is to enable progressive streaming with flash files in G2. It already works with files that are world-accessible. My hope is to make it work also with protected files without any hacks around the G2 security system. Greets littlejam

suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Wed, 2010-06-23 11:21
	I actually have a file that was for streaming flv based on xmoov if you are interested. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

alecmyers Joined: 2006-08-01 Posts: 4342	Posted: Wed, 2010-06-23 11:27
	Quote: My hope is to make it work also with protected files without any hacks around the G2 security system. If you think about it, you'll see that's going to be tricky, as a matter of definition. The G2 security system is built to prevent access to files to other than browser sessions with authenticated credentials as a user for whom permissions allow access to that file - that's what it does. How then could you have anonymous streaming of a protected file? If you could, it wouldn't be protected.

littlejam Joined: 2010-06-04 Posts: 6	Posted: Wed, 2010-06-23 11:51
	Thanks suprsidr I'll have a look into it. How do I use it? alecmyers wrote: If you think about it, you'll see that's going to be tricky, as a matter of definition. The G2 security system is built to prevent access to files to other than browser sessions with authenticated credentials as a user for whom permissions allow access to that file - that's what it does. How then could you have anonymous streaming of a protected file? If you could, it wouldn't be protected. Yes you are right with that. Maybe suprsidrs approach is the better one. I'll try to add seeking capability. greets littlejam

suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Wed, 2010-06-23 12:00
	place in your gallery's root directory point your flash video player to yoursite.com/gallery2/mediaStreamer.php?g2_itemId=150 where 150 is the id of your flv at one time I had variables for pseudo streaming scrubbing/queuing but lost interest and removed them. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

littlejam Joined: 2010-06-04 Posts: 6	Posted: Wed, 2010-06-30 12:27
	Ok, seeking is now possible. However there is no security at this point so there is some more coding that have to be done. I'm crawling through the g2-api for the right calls. Hints are welcome ;-) The script works with JWPlayer (v. 4.5). It must be placed into the modules/flashvideo/lib-directory of G2. The flashvars should look somehow like this... there would be some code inside this if the spamfilter would accept it type=http streamer=url to mediaStreamer.php file=g2_itemId.g2_serialNumber.g2_GALLERYSID It is important that the file-parameter consists of more than the g2_itemId (more precisely: more than only numbers) otherwise the JWPlayer throws an error which can only be avoided by changing and recompiling the player itself. I added g2_serialNumber and g2_GALLERYSID divided by dots; at the moment these are of no other purpose than preventing JWPlayer from failing. <?php // +---------------------------------------------------------------------------+ // \| mediaStreamer.php [v.0.1] \| // +---------------------------------------------------------------------------+ // \| Copyright (C) 2009 Wayne Patterson [suprsidr@flashyourweb.com] \| // +---------------------------------------------------------------------------+ // \| \| // \| This program is free software; you can redistribute it and/or \| // \| modify it under the terms of the GNU General Public License \| // \| as published by the Free Software Foundation; either version 2 \| // \| of the License, or (at your option) any later version. \| // \| \| // \| This program is distributed in the hope that it will be useful, \| // \| but WITHOUT ANY WARRANTY; without even the implied warranty of \| // \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \| // \| GNU General Public License for more details. \| // \| \| // \| You should have received a copy of the GNU General Public License \| // \| along with this program; if not, write to the Free Software Foundation, \| // \| Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. \| // \| \| // +---------------------------------------------------------------------------+ // TODO: /* Connect to gallery */ function init() { require_once ('../../../embed.php'); $ret = GalleryEmbed::init(); if ($ret) { print 'GalleryEmbed::init failed, here is the error message: '.$ret->getAsHtml(); exit ; } GalleryEmbed::done(); } function flvStream($item) { global $gallery; list ($ret, $parent) = GalleryCoreApi::loadEntitiesById($item->parentId, 'GalleryItem'); if ($ret) { print 'Error loading parent, here is the error message: '.$ret->getAsHtml(); exit ; } list ($ret, $startPath) = $parent->fetchPath(); if ($ret) { print 'Error fetching startPath, here is the error message: '.$ret->getAsHtml(); exit ; } $fileName = $item->getPathComponent(); $file = $startPath.$fileName; $fh = fopen($file, 'rb') or die ('<b>ERROR:</b> could not open ('.$fileName.')'); $fileSize = filesize($file); if ($item->getMimeType() == 'video/x-flv') { header("Content-Type: video/x-flv"); header("Content-Disposition: attachment; filename=\"".$fileName."\""); header("Content-Length: ".$fileSize); // FLV file format header if($_REQUEST['start'] != 0) { print('FLV'); print(pack('C', 1)); print(pack('C', 1)); print(pack('N', 9)); print(pack('N', 9)); } // seek to requested file position fseek($fh, $_REQUEST['start']); while (!feof($fh)) { print (fread($fh, filesize($file))); } } else { print 'Wrong mimeType'; exit ; } } if ( isset ($_REQUEST['file'])){ list($file, $g2_serialNumber, $g2_GALLERYSID)=split('\.', $_GET['file']); $_REQUEST['g2_itemId']=$file; } init(); if ( isset ($_REQUEST['g2_itemId'])) { list ($ret, $item) = GalleryCoreApi::loadEntitiesById($_REQUEST['g2_itemId'], 'GalleryMovieItem'); if ($ret) { print "Error loading initial item:".$_REQUEST['g2_itemId'].":".$ret->getAsHtml(); } flvStream($item); } ?>

suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Wed, 2010-06-30 12:01
	Yup, I originally had the seek in there, but found not one of my videos has the proper keyframes even ones I encoded w/ Adobe's media encoder - so I lost interest. I left out permissions for a specific app I built, but the following should work before we bother loading the item: init(); if (isset($_REQUEST['g2_itemId'])) { /* Make sure we have permission to view this item */ $ret = GalleryCoreApi::assertHasItemPermission($_REQUEST['g2_itemId'], 'core.viewSource'); if ($ret) { print "Permissions Error for item: ".$_REQUEST['g2_itemId'].":".$ret->getAsHtml(); exit; } list($ret, $item) = GalleryCoreApi::loadEntitiesById($_REQUEST['g2_itemId'], 'GalleryMovieItem'); if ($ret) { print "Error loading initial item:".$_REQUEST['g2_itemId'].":".$ret->getAsHtml(); exit; } flvStream($item); } -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

littlejam Joined: 2010-06-04 Posts: 6	Posted: Wed, 2010-06-30 12:23
	Thanks a lot suprsidr. The script works now as expected :-D suprsidr wrote: Yup, I originally had the seek in there, but found not one of my videos has the proper keyframes even ones I encoded w/ Adobe's media encoder - so I lost interest. You might wish to read this... http://www.orlandmedia.com/blog/adobe-flash/choosing-a-flash-video-format-for-pseudostreaming/ It only works good and simple with .flv-files. Even if you encode with AME you have to insert the metadata with another tool. I used flvtool2.exe flvtool2.exe -U C:\myclip.flv This adds the metadata. After that you can upload the file into g2 and seek to any point in the clip. Greets

suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Wed, 2010-06-30 12:38
	I may play with this again, I had added the necessary seek functionality to my E2 player. If you send me your working copy w/ FlashVideoRenderer.class I'll update my mediaStreamer download w/ your updates for anyone else who is interested. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

php curl vs browser

XUser login