• FastDL Script
    17 replies, posted
So this is a script i came up with to avoid messing with fastdl content. Though I wonder if it's safe enough to use it, and if there any possible improvements could be made to it. [url]https://github.com/edgarasf123/php-fastdl[/url]
Do not do it this way - and this is why: Source Engine has been trying to make a whitelist system that couldn't be bypassed, it took 9+ years until it got to where it is today in gmod (which still might have exploits to bypass it). Unless you are ready for you to lose all of your system files or even lua files I would suggest you do the standard method of fastdl.
[QUOTE=edgarasf123;50638754]So this is a script i came up with to avoid messing with fastdl content. Though I wonder if it's safe enough to use it, and if there any possible improvements could be made to it. [url]https://github.com/edgarasf123/php-fastdl[/url][/QUOTE] I would use [URL="http://php.net/manual/en/function.http-response-code.php"]http_response_code[/URL] as well as modifying the header
[QUOTE=MeepDarknessM;50638862]Do not do it this way - and this is why: Source Engine has been trying to make a whitelist system that couldn't be bypassed, it took 9+ years until it got to where it is today in gmod (which still might have exploits to bypass it). Unless you are ready for you to lose all of your system files or even lua files I would suggest you do the standard method of fastdl.[/QUOTE] I don't think they been "trying", I think they just ignored it. Otherwise they'd had implemented faster protocol, without requiring http server. For games like CSS, its not custom content heavy so it wasn't on their priority list. Regardless, I been trying to make this safest as I can. I use realpath() to check if file exist and where they exist, and I doubt it should be possible to get any files outside content directories.
giving a website read access to your server is a terrible idea. an exploit in your site can now become an exploit in your server.
this script makes no sense, just use normal web-dl it works fine for me if you can drag and drop your addons into a folder and use sv_downloadurl lmao
[QUOTE=Lunaversity;50641659]this script makes no sense, just use normal web-dl it works fine for me if you can drag and drop your addons into a folder and use sv_downloadurl lmao[/QUOTE] You also have to bzip if you want players to download stuff faster, which is a hassle when you have tons of files.
[QUOTE=edgarasf123;50641725]You also have to bzip if you want players to download stuff faster, which is a hassle when you have tons of files.[/QUOTE] define faster, cause I've never seen a darkrp server download any faster than my internet can go
[QUOTE=Lunaversity;50641739]define faster, cause I've never seen a darkrp server download any faster than my internet can go[/QUOTE] [IMG]http://i.imgur.com/ZGie1sg.png[/IMG] ~1 second to download gm_flatgrass.bsp.bz2 with 10MB/s download speed. ~4 seconds to download gm_flatgrass.bsp with 10MB/s download speed. Plus it gives less strain on my server.
[QUOTE=Lunaversity;50641739]define faster, cause I've never seen a darkrp server download any faster than my internet can go[/QUOTE] Server owners need to assume all of their players are on DSL connections with 200KB/sec download [i]max[/i]. Far more people have slow internet connections vs. 1Gbit fiber. [editline]3rd July 2016[/editline] There literally is no reason not to bzip stuff
[IMG]http://i.imgur.com/J9FnP9S.png[/IMG] downloads fine for me
[QUOTE=edgarasf123;50641774][IMG]http://i.imgur.com/ZGie1sg.png[/IMG] ~1 second to download gm_flatgrass.bsp.bz2 with 10MB/s download speed. ~4 seconds to download gm_flatgrass.bsp with 10MB/s download speed. Plus it gives less strain on my server.[/QUOTE] Why would you put a map on your FastDL that comes with Gmod natively?
[QUOTE=The Commander;50642256]Why would you put a map on your FastDL that comes with Gmod natively?[/QUOTE] Because I used it as an example.
[QUOTE=edgarasf123;50641523]I don't think they been "trying", I think they just ignored it. [/QUOTE] You are acting like Valve and Facepunch don't care if there are exploits in their games that could potentially lead to backdooring an os install. It doesn't matter if you think it cannot be bypassed, because it will be if it is. It's not about if, it's about when. Just use the normal method of bzipping files manually. It's not that bad and it certainly will not be as easy to hack into your server as it is bypassing your php script.
It really isn't hard, there's plenty of scripts out there that'll recursively bzip directories (plus delete the non-bzip version). I used to have a temp folder on my computer where I'd drop all of my custom content, run the script, and upload it all. Maybe five minutes of my time depending on which server it was and how many maps.
[QUOTE=MeepDarknessM;50643672]You are acting like Valve and Facepunch don't care if there are exploits in their games that could potentially lead to backdooring an os install. It doesn't matter if you think it cannot be bypassed, because it will be if it is. It's not about if, it's about when. Just use the normal method of bzipping files manually. It's not that bad and it certainly will not be as easy to hack into your server as it is bypassing your php script.[/QUOTE] I do think they care about backdoors(though it took them several years to patch the file upload exploit), but what I meant is that they haven't updated the upload script since CS 1.6 which downloads stuff at 20KB/s trough the game server. Because none of their games requires user to download massive amounts of files as gmod does, they didn't had a need to upgrade their script. As for possible backdoors, any addon [B]could[/B] contain a backdoor(especially from SF). So by your logic you shouldn't install any addons to a server. [QUOTE=Banana Lord.;50644332]It really isn't hard, there's plenty of scripts out there that'll recursively bzip directories (plus delete the non-bzip version). I used to have a temp folder on my computer where I'd drop all of my custom content, run the script, and upload it all. Maybe five minutes of my time depending on which server it was and how many maps.[/QUOTE] Which is fine, but it is still an extra task which can be fully automated.
[QUOTE=edgarasf123;50644522]Which is fine, but it is still an extra task which can be fully automated.[/QUOTE] It sure can, but letting the client request files via GET parameters is a terrible way to go about it. No one is arguing that you have a good idea here, the problem is your execution violates like the biggest rule in programming, never trust the user. You're opening up another point of attack for people.
[QUOTE=Banana Lord.;50645065]It sure can, but letting the client request files via GET parameters is a terrible way to go about it. No one is arguing that you have a good idea here, the problem is your execution violates like the biggest rule in programming, never trust the user. You're opening up another point of attack for people.[/QUOTE] I'm not trusting the user input though, I do check if requested files are located in specific directories(materials, sounds, models, and etc.) even using stuff like /../ (traversal attack) wouldn't be possible to get files outside those directories. It's somewhat similar issue when using user input with sql queries, if you escape the input, it's not an issue.
Sorry, you need to Log In to post a reply to this thread.