Raised This Month: $12 Target: $400
 3% 

Player avatars broken again?


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
pizzahut
Senior Member
Join Date: Oct 2004
Old 04-09-2018 , 21:00   Player avatars broken again?
Reply With Quote #1

Not running hlstatsx myself, but from what I've seen, Steam is now using https for the xml profile data. The function "fetchpage" in file "playerinfo_general.php" needs to be changed accordingly to retrieve the Steam avatar URL and online status.

Original "playerinfo_general.php":
https://bitbucket.org/Maverick_of_UC...e-view-default

Using curl:
https://stackoverflow.com/questions/...-https-content

Using fsockopen and fgets:
http://php.net/manual/function.fsockopen.php#34887
http://php.net/manual/openssl.installation.php

Last edited by pizzahut; 04-21-2018 at 14:40.
pizzahut is offline
Phorce_Phed
Member
Join Date: Jun 2006
Old 04-19-2018 , 11:46   Re: Player avatars broken again?
Reply With Quote #2

Does anyone have a drop-in fix for this?
Phorce_Phed is offline
pizzahut
Senior Member
Join Date: Oct 2004
Old 04-21-2018 , 14:22   Re: Player avatars broken again?
Reply With Quote #3

Quote:
Originally Posted by Phorce_Phed View Post
Does anyone have a drop-in fix for this?
This quick fix by Master works, though I later found out that https is possible using fsockopen as well. Also, there is no error checking done in the quick fix.

So you can use this, but it's probably better to continue using fsockopen instead, just with SSL as described in the docu linked above.

As mentioned, I'm not running hlstatsx myself atm, so can't do any testing.

You can comment out the original function using /* and */ .
PHP Code:
function fetchpage ($page)
{
    
$url "https://steamcommunity.com";
    
$ch curl_init();
    
curl_setopt($chCURLOPT_URL$url."/".$page);
    
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
    
curl_setopt($chCURLOPT_HEADER0);
    
curl_setopt($chCURLOPT_RETURNTRANSFER1);
    
$html_content curl_exec($ch);
    
curl_close($ch);
    return 
$html_content;

Looking at the code, ."/" is probably redundant. I think $page usually starts with a slash already, though not sure if this is always the case.

Last edited by pizzahut; 04-21-2018 at 14:50.
pizzahut is offline
midnight9
Senior Member
Join Date: Nov 2012
Old 04-22-2018 , 04:59   Re: Player avatars broken again?
Reply With Quote #4

Quote:
Originally Posted by pizzahut View Post
This quick fix by Master works, though I later found out that https is possible using fsockopen as well. Also, there is no error checking done in the quick fix.

So you can use this, but it's probably better to continue using fsockopen instead, just with SSL as described in the docu linked above.

As mentioned, I'm not running hlstatsx myself atm, so can't do any testing.

You can comment out the original function using /* and */ .
PHP Code:
function fetchpage ($page)
{
    
$url "https://steamcommunity.com";
    
$ch curl_init();
    
curl_setopt($chCURLOPT_URL$url."/".$page);
    
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
    
curl_setopt($chCURLOPT_HEADER0);
    
curl_setopt($chCURLOPT_RETURNTRANSFER1);
    
$html_content curl_exec($ch);
    
curl_close($ch);
    return 
$html_content;

Looking at the code, ."/" is probably redundant. I think $page usually starts with a slash already, though not sure if this is always the case.
Works for me. Thanks
midnight9 is offline
Phorce_Phed
Member
Join Date: Jun 2006
Old 04-23-2018 , 10:56   Re: Player avatars broken again?
Reply With Quote #5

Simply changing this line inside the "fetchpage" function:
Code:
$fsock=fsockopen($domain, 80, $errno, $errstr,2);
To this:
Code:
$fsock=fsockopen("ssl://".$domain, 443, $errno, $errstr,2);
Seemed to work, for me.
Phorce_Phed is offline
DarkDeviL
SourceMod Moderator
Join Date: Apr 2012
Old 04-23-2018 , 11:23   Re: Player avatars broken again?
Reply With Quote #6

Quote:
Originally Posted by pizzahut View Post
This quick fix by Master works, though I later found out that https is possible using fsockopen as well. Also, there is no error checking done in the quick fix.

So you can use this, but it's probably better to continue using fsockopen instead, just with SSL as described in the docu linked above.
Quote:
Originally Posted by Phorce_Phed View Post
Simply changing this line inside the "fetchpage" function:
Code:
$fsock=fsockopen($domain, 80, $errno, $errstr,2);
To this:
Code:
$fsock=fsockopen("ssl://".$domain, 443, $errno, $errstr,2);
Seemed to work, for me.
DO NOT simply do fsockopen on SSL!

CURL will verify the SSL certificate is valid and trusted, etc. fsockopen WILL NOT validate anything in relation to the certificate at all.

Using fsockopen is literally the same as blindly accepting all certificate and server configuration errors, like the one you see if you open last-time-i-checked-this-certificate-expired.darkserv.net, - without any hesitation.

Since the certificate validation is gone, someone can very easily hijack steamcommunity.com and point your network/servers towards a fake steamcommunity.com, that provides incorrect information to your HLstatsX.. You'll never know if you wake up some day, and see your HLstatsX installation is presenting pictures advertising someone else's gaming community, adult material, or anything else...

Doing things the right way takes so little effort, but is often forgotten, when people have the chance to cut corners by adding/changing ~6 characters rather than adding/modifying a few lines...
__________________
Mostly known as "DarkDeviL".

Dropbox FastDL: Public folder will no longer work after March 15, 2017!
For more info, see the [SRCDS Thread], or the [HLDS Thread].
DarkDeviL is offline
alBert2000
Junior Member
Join Date: Feb 2013
Old 04-23-2018 , 13:17   Re: Player avatars broken again?
Reply With Quote #7

I made a quick test with the page you mentioned and fsock:

Code:
php.exe ssl_test.php

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in D:\fsock_test\ssl_test.php on line 20

Warning: fsockopen(): Failed to enable crypto in D:\fsock_test\ssl_test.php on line 20

Warning: fsockopen(): unable to connect to ssl://last-time-i-checked-this-certificate-expired.darkserv.net:443 (Unknown error) in D:\fsock_test\ssl_test.php on line 20
So it seems that fsock checks the certificate too.
I'm not an expert at all.
I just was curious.
Maybe someone could explain that in more detail so that we can use the one-line fix without having to worry.

Thanks in advance.
Al
__________________
alBert2000 is offline
DarkDeviL
SourceMod Moderator
Join Date: Apr 2012
Old 04-23-2018 , 13:44   Re: Player avatars broken again?
Reply With Quote #8

Quote:
Originally Posted by alBert2000 View Post
I made a quick test with the page you mentioned and fsock:
Quote:
Originally Posted by alBert2000 View Post
So it seems that fsock checks the certificate too.
I'm not an expert at all.
I just was curious.
Maybe someone could explain that in more detail so that we can use the one-line fix without having to worry.
Testing PHP 7.x on latest Debian 9 "Stretch":

Code:
$ php ssl-fsockopen.php
PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /home/darkdevil/ssl-fsockopen.php on line 8
PHP Warning:  fsockopen(): Failed to enable crypto in /home/darkdevil/ssl-fsockopen.php on line 8
PHP Warning:  fsockopen(): unable to connect to ssl://last-time-i-checked-this-certificate-expired.darkserv.net:443 (Unknown error) in /home/darkdevil/ssl-fsockopen.php on line 8
Error:
Testing with some very old PHP 5.3, from the stonage:

Code:
$ php ssl-fsockopen.php
HTTP/1.1 404 Not Found
Date: Mon, 23 Apr 2018 17:36:07 GMT
[...]

IF you have PHP 5.6 or higher, fsockopen will validate the certificates, and you can actually do the easy fix with no issues.

Since fsockopen didn't do it in the past (e.g. below 5.6), I wasn't using fsockopen unless really necessary, "for security reasons".

Seems like there is one good change here, that I actually missed among all the updates of PHP...
__________________
Mostly known as "DarkDeviL".

Dropbox FastDL: Public folder will no longer work after March 15, 2017!
For more info, see the [SRCDS Thread], or the [HLDS Thread].
DarkDeviL is offline
mo0n_sniper
Junior Member
Join Date: Apr 2014
Old 07-29-2018 , 13:23   Re: Player avatars broken again?
Reply With Quote #9

Thank you for the fix @pizzahut and @Phorce_Phed

Last edited by mo0n_sniper; 07-29-2018 at 13:24.
mo0n_sniper is offline
Phorce_Phed
Member
Join Date: Jun 2006
Old 04-23-2018 , 13:41   Re: Player avatars broken again?
Reply With Quote #10

From http://php.net/manual/en/function.fsockopen.php#115405:
Quote:
It appears that in PHP 5.6.0 (at least the version in Debian jessie, with openssl 1.0.1h-3), this function *is* now validating SSL certificates (in a variety of ways). First, it appears to fail for untrusted certificates (i.e. no matching CA trusted locally), and secondly, it appears to fail for mismatched hostnames in the request and certificate.
Assuming alBert2000 is testing with a 5.6+ PHP, it sounds like we might add "tests for expired certificates" to this list.
Phorce_Phed is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 16:45.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode