GetManialinks

[w1lla]

Hi,

Im testing each feature of the web services but there might be a huge flaw inside the get($code) of getting manialinks.

This is a way for hackers to get data from other manialinks.

A good example is the manialink of intr and oliverde8.

If i follow the link of intr it will only show me code from manialib and the manialink from oliverde8 will show me an default xml message but by showing the source code i can completely "copy" his her manialink.

I think it is not right to show a manialink's url only to the respective owner.

[farfa]

This feature is already public
But for your manialinks a tip is better, look to the User-Agent, and display nothing if the User-Agent is not GameBox

[fastforza]

On a side note (with what Farfa said), you can still bypass the User-Agent with the User Agent firefox plugin. Install it, add a new agent; call it GameBox and you're good to go. And I just did this with the ManiaLib demo.

It would be nice if the URL was removed, but don't forget there are also manialinks which use absolute URL's by design.

[gouxim]

There's no point in removing the URL because it's already public. The user-agent stuff is more for user-friendly-ness than security, since there's no security whatsoever : just like you can get the HTML code of a webpage, you can get the XML code of a Manialink page.

[fastforza]

Fair point, alrighty then.

[w1lla]

Well or designers make a reroute just like it's done in manialib when other people are trying to acces the url.

[gouxim]

Well or designers make a reroute just like it's done in manialib when other people are trying to acces the url.

In ManiaLib, we do User-Agent based check to redirect the user that uses a browser:

http://code.google.com/p/manialib/sourc ... ck.php#120 (line 120).

But this was done more for user-friendlyness (if you type the URL in your browser you have a page with a TMTP link instead of a weird XML page) than for security (because there's nno security).

Even with that you can easily get the XML code of a page if you do a request with a overriden user-agent, with simple tools such as https://chrome.google.com/webstore/deta ... bgofnpcjmb

[destroflyer]

I've just seen this, too... Maybe you could allow only a few users access to the URLs?
Because I'm sure, this would ruin all manialinks with costs - It would be a five-minute-work to create a script that downloads all maniacode-stuff for free...
(Example: http://www.mania-community.de/showthrea ... #post18644)

I don't know, if this is a good idea - But if it's already public, there's no other way...

[gouxim]

There's no point in removing the URL because it's already public. The user-agent stuff is more for user-friendly-ness than security, since there's no security whatsoever : just like you can get the HTML code of a webpage, you can get the XML code of a Manialink page.