AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   HLstatsX:CE (https://forums.alliedmods.net/forumdisplay.php?f=156)
-   -   Player avatars broken again? (https://forums.alliedmods.net/showthread.php?t=306682)

pizzahut 04-09-2018 21:00

Player avatars broken again?
 
Not running hlstatsx myself, but from what I've seen, Steam is now using https for the xml profile data. The function "fetchpage" in file "playerinfo_general.php" needs to be changed accordingly to retrieve the Steam avatar URL and online status.

Original "playerinfo_general.php":
https://bitbucket.org/Maverick_of_UC...e-view-default

Using curl:
https://stackoverflow.com/questions/...-https-content

Using fsockopen and fgets:
http://php.net/manual/function.fsockopen.php#34887
http://php.net/manual/openssl.installation.php

Phorce_Phed 04-19-2018 11:46

Re: Player avatars broken again?
 
Does anyone have a drop-in fix for this?

pizzahut 04-21-2018 14:22

Re: Player avatars broken again?
 
Quote:

Originally Posted by Phorce_Phed (Post 2588486)
Does anyone have a drop-in fix for this?

This quick fix by Master works, though I later found out that https is possible using fsockopen as well. Also, there is no error checking done in the quick fix.

So you can use this, but it's probably better to continue using fsockopen instead, just with SSL as described in the docu linked above.

As mentioned, I'm not running hlstatsx myself atm, so can't do any testing.

You can comment out the original function using /* and */ .
PHP Code:

function fetchpage ($page)
{
    
$url "https://steamcommunity.com";
    
$ch curl_init();
    
curl_setopt($chCURLOPT_URL$url."/".$page);
    
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
    
curl_setopt($chCURLOPT_HEADER0);
    
curl_setopt($chCURLOPT_RETURNTRANSFER1);
    
$html_content curl_exec($ch);
    
curl_close($ch);
    return 
$html_content;


Looking at the code, ."/" is probably redundant. I think $page usually starts with a slash already, though not sure if this is always the case.

midnight9 04-22-2018 04:59

Re: Player avatars broken again?
 
Quote:

Originally Posted by pizzahut (Post 2588754)
This quick fix by Master works, though I later found out that https is possible using fsockopen as well. Also, there is no error checking done in the quick fix.

So you can use this, but it's probably better to continue using fsockopen instead, just with SSL as described in the docu linked above.

As mentioned, I'm not running hlstatsx myself atm, so can't do any testing.

You can comment out the original function using /* and */ .
PHP Code:

function fetchpage ($page)
{
    
$url "https://steamcommunity.com";
    
$ch curl_init();
    
curl_setopt($chCURLOPT_URL$url."/".$page);
    
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
    
curl_setopt($chCURLOPT_HEADER0);
    
curl_setopt($chCURLOPT_RETURNTRANSFER1);
    
$html_content curl_exec($ch);
    
curl_close($ch);
    return 
$html_content;


Looking at the code, ."/" is probably redundant. I think $page usually starts with a slash already, though not sure if this is always the case.

Works for me. Thanks

Phorce_Phed 04-23-2018 10:56

Re: Player avatars broken again?
 
Simply changing this line inside the "fetchpage" function:
Code:

$fsock=fsockopen($domain, 80, $errno, $errstr,2);
To this:
Code:

$fsock=fsockopen("ssl://".$domain, 443, $errno, $errstr,2);
Seemed to work, for me.

DarkDeviL 04-23-2018 11:23

Re: Player avatars broken again?
 
Quote:

Originally Posted by pizzahut (Post 2588754)
This quick fix by Master works, though I later found out that https is possible using fsockopen as well. Also, there is no error checking done in the quick fix.

So you can use this, but it's probably better to continue using fsockopen instead, just with SSL as described in the docu linked above.

Quote:

Originally Posted by Phorce_Phed (Post 2589025)
Simply changing this line inside the "fetchpage" function:
Code:

$fsock=fsockopen($domain, 80, $errno, $errstr,2);
To this:
Code:

$fsock=fsockopen("ssl://".$domain, 443, $errno, $errstr,2);
Seemed to work, for me.

DO NOT simply do fsockopen on SSL!

CURL will verify the SSL certificate is valid and trusted, etc. fsockopen WILL NOT validate anything in relation to the certificate at all.

Using fsockopen is literally the same as blindly accepting all certificate and server configuration errors, like the one you see if you open last-time-i-checked-this-certificate-expired.darkserv.net, - without any hesitation.

Since the certificate validation is gone, someone can very easily hijack steamcommunity.com and point your network/servers towards a fake steamcommunity.com, that provides incorrect information to your HLstatsX.. You'll never know if you wake up some day, and see your HLstatsX installation is presenting pictures advertising someone else's gaming community, adult material, or anything else...

Doing things the right way takes so little effort, but is often forgotten, when people have the chance to cut corners by adding/changing ~6 characters rather than adding/modifying a few lines...

alBert2000 04-23-2018 13:17

Re: Player avatars broken again?
 
I made a quick test with the page you mentioned and fsock:

Code:

php.exe ssl_test.php

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in D:\fsock_test\ssl_test.php on line 20

Warning: fsockopen(): Failed to enable crypto in D:\fsock_test\ssl_test.php on line 20

Warning: fsockopen(): unable to connect to ssl://last-time-i-checked-this-certificate-expired.darkserv.net:443 (Unknown error) in D:\fsock_test\ssl_test.php on line 20

So it seems that fsock checks the certificate too.
I'm not an expert at all.
I just was curious.
Maybe someone could explain that in more detail so that we can use the one-line fix without having to worry.

Thanks in advance.
Al

Phorce_Phed 04-23-2018 13:41

Re: Player avatars broken again?
 
From http://php.net/manual/en/function.fsockopen.php#115405:
Quote:

It appears that in PHP 5.6.0 (at least the version in Debian jessie, with openssl 1.0.1h-3), this function *is* now validating SSL certificates (in a variety of ways). First, it appears to fail for untrusted certificates (i.e. no matching CA trusted locally), and secondly, it appears to fail for mismatched hostnames in the request and certificate.
Assuming alBert2000 is testing with a 5.6+ PHP, it sounds like we might add "tests for expired certificates" to this list.

DarkDeviL 04-23-2018 13:44

Re: Player avatars broken again?
 
Quote:

Originally Posted by alBert2000 (Post 2589046)
I made a quick test with the page you mentioned and fsock:

Quote:

Originally Posted by alBert2000 (Post 2589046)
So it seems that fsock checks the certificate too.
I'm not an expert at all.
I just was curious.
Maybe someone could explain that in more detail so that we can use the one-line fix without having to worry.

Testing PHP 7.x on latest Debian 9 "Stretch":

Code:

$ php ssl-fsockopen.php
PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /home/darkdevil/ssl-fsockopen.php on line 8
PHP Warning:  fsockopen(): Failed to enable crypto in /home/darkdevil/ssl-fsockopen.php on line 8
PHP Warning:  fsockopen(): unable to connect to ssl://last-time-i-checked-this-certificate-expired.darkserv.net:443 (Unknown error) in /home/darkdevil/ssl-fsockopen.php on line 8
Error:

Testing with some very old PHP 5.3, from the stonage:

Code:

$ php ssl-fsockopen.php
HTTP/1.1 404 Not Found
Date: Mon, 23 Apr 2018 17:36:07 GMT
[...]


IF you have PHP 5.6 or higher, fsockopen will validate the certificates, and you can actually do the easy fix with no issues.

Since fsockopen didn't do it in the past (e.g. below 5.6), I wasn't using fsockopen unless really necessary, "for security reasons".

Seems like there is one good change here, that I actually missed among all the updates of PHP...

mo0n_sniper 07-29-2018 13:23

Re: Player avatars broken again?
 
Thank you for the fix @pizzahut and @Phorce_Phed


All times are GMT -4. The time now is 05:55.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.