I'm sure it would be better if I paid MaxMind money, but that'd go a bit far for a stupid meme picture that I'll probably take down in less than a week.

If you live in a dictatorship and this thing can get your location right, you should probably be using some kind of VPN. Wouldn't want you to run into trouble with the regime!

I'm curious about your choice not to VPN but I also really don't want to pressure you into saying anything you shouldn't.

Are you sure you are where you think you are? When's the last time you looked outside?

That's a good thing to be honest, but feel free to send in corrections to the data source if you want internet companies to stalk you.

The image is generated on demand by a PHP script. It's not a static image file. Every time the web browser sends a GET /poc.png, a new image is generated based on the information your browser or app sends the server.

It's actually how a lot of tracking code works. The image data returned may be the same, but the data collection through cookies and maybe even some passive fingerprinting all happen every time you send a request.

It's not the image, it's a normal image. The server does the hard work when you make the request, and then it just builds the image accordingly.

Probably has bugs. Probably no security bugs. Feedback is welcome (but I don't care enough about this to try my hardest).

require_once('/var/www/html/geoip2.phar');
use GeoIp2\Database\Reader;

$ip = $_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'];

$cityReader = new Reader('/var/local/php/GeoLite2-City.mmdb');
$record = $cityReader->city($ip);

header('Content-Type: image/png');

$image = @imagecreatefrompng('lemmybase.png');

$black = imagecolorallocate($image, 0, 0, 0);

// "Some City, SS, Country Name"
$text = $record->city->name . ', ' . $record->mostSpecificSubdivision->isoCode . ', ' . $record->country->name;

/* $font_path = '/tmp/ComicSand.ttf'; */
$font_path = '/usr/share/fonts/ubuntu/Ubuntu-M.ttf';

// Render text
imagettftext($image, 30, 0, 28, 224, $black, $font_path, chunk_split($text, 22));

// Dump image to web server
imagepng($image);

// Free resources
imagedestroy($image);

Edit: damn, Lemmy really hates < ? php. Just imagine that's the first line in the file.

Haha it's just an IP lookup in a free database I've downloaded, I did 0% of the hard work. Thanks for the reply anyway!

It's should only be cached in your browser. Try opening the image in a new tab and hitting Ctrl+Shift+R. Opening it in a porn tab or clearing your browser cache should also work.

I originally planned to do something based on the Referer header, but the browser doesn't send those for linked images.

In theory you can do a lot with this. Detect VPNs based on MTU, for example, or if you're malicious, turn it into a tracker.