Securly uploading videos in PHP [migrated]

This question is about letting a potentially malicious user upload videos to your site – specifically, handling the file itself.

With images, one one simple thing you do (after every other thing is validated) is

    if( $  uploaded_type == 'image/jpeg' ) {         $  img = imagecreatefromjpeg( $  uploaded_tmp );         imagejpeg( $  img, $  temp_file, $  imageQualityPercentage);     }     elseif( $  uploaded_type == 'image/png') {         $  img = imagecreatefrompng( $  uploaded_tmp );         imagesavealpha($  img, TRUE);         imagepng( $  img, $  temp_file, 9*(1-$  imageQualityPercentage/100));     } 

Which basically re-creates the image from user input.

Is there an equivalent in PHP for videos? I’d very much like if mp4/oog/webm ones existed (and supported most codecs), but anyone knows any open source libraries that do this for at least any format/codec?

How to verify PGP signature with signing key using Enigmail in Thunderbird [migrated]

I received an email like this above:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1  Because anyone can claim to be me. There's no validation of the user name or email address when someone posts a comment. While I do try to remove imposters, some may slip through. By signing my comments using this technique, anyone can independently verify that I was the author of the message by validating the signature. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32)  iD8DBQFFxqRFCMEe9B/8oqERAqA2AJ91Tx4RziVzY4eR4Ms4MFsKAMqOoQCgg7y6 e5AJIRuLUIUikjNWQIW63QE= =aAhr -----END PGP SIGNATURE----- 

And another email with the public key. How can I verify if the signature is valid using the Enigmail in Thunderbird?

OpenVPN works on Ubuntu but not Android – Name Resolution [migrated]

Setup:
Server1 – Primary DNS/Plesk
Server2 – Secondary DNS
Server3 – OpenVPN

On by local computer running Ubuntu 20.04 I can successfully connect to the OpenVPN server and browse any website. My public IP Address shows as the SERVER3 IP Address.

On my Android, I can successfully connect to the OpenVPN server but I can only browse websites hosted on Server1. All other websites get the DNS_PROBE_FINISHED_BAD_CONFIG error message. In the OpenVPN app it shows a successful connection and the correct IP Addresses.

I am using the exact same configuration file for both devices. Note, different certificates are used for the connection.

Looking at the syslog on Server1, I see:

client @0x7f79480ea2b0 ANDROID-PUBLIC-IP-ADDRESS#50743 (www.facebook.com): query (cache) 'www.facebook.com/A/IN' denied 

I don’t get these errors when browsing on the Ubuntu box.

My ovpn file:

dev tun proto tcp remote SERVER3 IP 443 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA256 verb 3 key-direction 1 <certificates are here> 

My OpenVPN Config file:

management 127.0.0.1 5555 dev tun ca ca.crt cert server.crt key server.key  # This file should be kept secret dh none server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "dhcp-option DNS SERVER1 IP" push "dhcp-option DNS SERVER2 IP" keepalive 10 120 tls-crypt ta.key cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log         /var/log/openvpn/openvpn.log log-append  /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 0 

How to use Diffie Hellman algorithm at the browser? [migrated]

I want to use nodeJS as a server side language. NodeJS have crypto module where DiffieHellman is a class. So, I can use this method to generate key and compute key.

But, client also need to create another instance of diffiehellman class. But how to do that? Can I use crypto module on client side? If yes then how, any solution? Here are my client side code…

const crypto = require('crypto'); const express = require('express'); const app = express();  // Generate server's keys... const server = crypto.createDiffieHellman(139); const serverKey = server.generateKeys(); //send p=prime and g=generator to the client 

ModSecurity won’t apply rules – no error log entries [migrated]

I have a fresh installation of CentOS 8. I installed Apache 2.4.37 from the repo. Then installed the latest ModSecurity:

dnf install mod_security -y 

Checked the installation

dnf info mod_security 

Result:

Name         : mod_security Version      : 2.9.2 

The required Apache modules are available / loaded:

apachectl -M | grep security -> security2_module (shared) apachectl -M | grep unique -> unique_id_module (shared) 

Installed the core rule set from the repo:

dnf install mod_security_crs 

which automatically links the rules into the apache folder

/etc/httpd/modsecurity.d/activated_rules 

Rules have been checked / are at place.

The main config file

/etc/httpd/conf.d/mod_security.conf 

includes necessary further config files, including the rules conf files themselves:

IncludeOptional /etc/httpd/modsecurity.d/crs-setup.conf IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf IncludeOptional /etc/httpd/modsecurity.d/local_rules/*.conf 

(paths have been double-checked) and activates the rules engine:

SecRuleEngine On 

The rules config file modsecurity.d/crs-setup.conf (which is included in mod_security.conf, see above) provides

SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403" 

Apache httpd.conf calls ModSecurity:

SecStatusEngine On 

A restart (apachectl restart) shows that ModSecurity was loaded successfully:

ModSecurity: StatusEngine call successfully sent. <-- including LUA etc. 

Tests with manipulated URLs like a script insert:

/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27 

show no reaction whatsoever on ModSecurity’s side. No entries at all in ModSecuritie’s audit and debug log files (debug level was set to 3), no errors in Apache’s log files.

Safety of encryption when knowing part of the content [migrated]

I want to encrypt a JSON file while exposing its interface (the name of the object fields) in clear text.

Since this exposes part of the content of the file, my guess is that an attacker could use this to hack the encryption key.

Are there encryption methods that can circumvent, or at least be safer for cases like this?

I am mostly convinced that knowing part of the content of an encrypted file can make attacks easier, but I do not know if there is a technical term for such conditions or how to evaluate if some algorithms are safer or not. So far I am specially interested if using aes-192-cbc or gpg would be OK.