News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Images from FTP sites

Started by mrapples, March 21, 2006, 02:29:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

mrapples

March 21, 2006, 02:29:58 AM
is there a reason why ftp is omitted as an accepted protocol for the img tag?

i have a user wanted to post images from his ftp, and i dont see any security rish there

thanks

Dannii

#1
March 21, 2006, 03:09:37 AM
I don't think you can actually link to FTP images directly.. I've never seen it done.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

H

#2
March 21, 2006, 12:37:35 PM
Quote from: eldacar on March 21, 2006, 03:09:37 AM
I don't think you can actually link to FTP images directly.. I've never seen it done.

Indeed. http / ftp protocols really don't mix mainly because of the FTP authentication ;)

If you own the server you could set up a low memory webserver such as lighttpd just to serve images from the ftp server
-H
Former Support Team Lead		                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

mrapples

#3
March 21, 2006, 12:58:45 PM
well, its not an issue of it working or not, you can directly link to images using the protocol, and i have it working, i just wanted to know if there was a security reason or something similar that it caused it to be left out

kegobeer

#4
March 21, 2006, 01:05:14 PM
I've never seen the FTP protocol used for serving images.  Can you post a link using the FTP protocol?
"The truth of the matter is that you always know the right thing to do. The hard part is doing it." - Norman Schwarzkopf
Posting and you (Click "WATCH THIS MOVIE")

mrapples

#5
March 21, 2006, 01:08:21 PM
certainly

hxxp:www.whatsinyourbox.org/index.php/topic,2017.0.html [nonactive]

H

#6
March 21, 2006, 01:16:50 PM
wow. I thought all ftp links had to include the username and password (even for the anonymous user!)

Looks like I am wrong ;)
-H
Former Support Team Lead		                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

mrapples

#7
March 21, 2006, 01:22:02 PM
i believe in the server configuration you can specify if anonymous read transactions require a username and password, and i think write transactions always require authentication

kegobeer

#8
March 21, 2006, 01:24:50 PM
Most people do not allow completely anonymous FTP access to a site, especially without any type of username/password.  This is the first time I've ever seen someone serving images using a file transfer protocol instead of a hypertext transfer protocol.  I would suggest that the developers never thought anyone would actually use said protocol to serve files, images, etc, so it was omitted from the bbcode function.

I would strongly advise against using FTP to serve images.  I was able to explore all of the files and directories hosted on the FTP account.  It's usually not a good idea to let total strangers have complete read access to all of your directories.  With HTTP, you have to guess at file names, and you can stop people from browsing the directory by uploading a blank index.html file.
"The truth of the matter is that you always know the right thing to do. The hard part is doing it." - Norman Schwarzkopf
Posting and you (Click "WATCH THIS MOVIE")

mrapples

#9
March 21, 2006, 01:26:56 PM
i am aware of this, and i believe the user is as well

kegobeer

#10
March 21, 2006, 01:28:03 PM
You hacked the code to allow it, but I don't think it's something the developers will change in future releases.
"The truth of the matter is that you always know the right thing to do. The hard part is doing it." - Norman Schwarzkopf
Posting and you (Click "WATCH THIS MOVIE")
Print
Go Up Pages1
User actions
Advertisement: