Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Referer check within domain problem

by jerrygarciuh (Curate)
on Nov 22, 2002 at 16:12 UTC ( [id://215142]=perlquestion: print w/replies, xml ) Need Help??

jerrygarciuh has asked for the wisdom of the Perl Monks concerning the following question:

Fellow Monks,
I have the following snippet in a script which is intended to make sure that only pages on our site may utilize the script. It came to my attention this morning that someone had received the Bad Referer message while (they say) they were moving from one page to another within our site. We have no 3rd level domains, and the site cannot be accessed by proxy (no www) at all, and the pages have been tested hundreds of times without this coming up. Anyone see a flaw in the code or have an idea for a scenario to cause this. I should note that I have only just altered the error message to request mail and plan to log errors but I do not have the referer infomation that triggered this problem.
TIA
jg
my $good_url = 'http://www.thesite.org/';
my $also_good = 'https://www.thesite.org';

my $referer = $ENV{'HTTP_REFERER'};
if ( $referer !~ /^$good_url/ && $referer !~ /^$also_good/) {
    print $q->header,start_html,h2("Bad Referer."), "If you receive th
+is error please ",
    a( {-href=>"mailto:bug\@nolaflash.com?Subject=New+Member+Bug!+$ref
+erer"},"email us"),".";exit;
}

[download]
_____________________________________________________
"The man who grasps principles can successfully select his own methods.
The man who tries methods, ignoring principles, is sure to have trouble.
~ Ralph Waldo Emerson

Replies are listed 'Best First'.
Re: Referer check within domain problem
by Abigail-II (Bishop) on Nov 22, 2002 at 16:20 UTC
    The HTTP specification doesn't mandate the usuage of the Referer header. Some browsers may opt not to send the header. Proxies may strip out the header (what do you mean "the site cannot be accessed by proxy"? You can't always know whether there's a proxy involved). And in some cases, browsers should not send a Referer header, for instance when following a bookmark, or when the user types in a URL.

    See also the HTTP specification. Denying or allowing access based on a Referer header is a bad thing to do.

    Abigail

[reply]
      Thank you for your response. When you have a script which should only accept input from specific pages how do you control this? Is one Good way to do this using .htaccess allow from where that is available?
      All advice seriously appreciated!
      jg
      _____________________________________________________
      "The man who grasps principles can successfully select his own methods.
      The man who tries methods, ignoring principles, is sure to have trouble.
      ~ Ralph Waldo Emerson
[reply]
[d/l]
[select]
        When you have a script which should only accept input from specific pages how do you control this?
        I would never make such a script, because the premisis is flawed. HTTP was created as a stateless protocol, and that's how it works best. Why would a resource care which resource the user consulted before? Why try to funnel the user through a virtual corridor? HTTP wasn't designed for that, and any trick you try will eventually fail. As you found out.

        Don't fight the system, work with it.

        Abigail

[reply]
Re: Referer check within domain problem
by Mr. Muskrat (Canon) on Nov 22, 2002 at 16:17 UTC

    Is it possible that $ENV{'HTTP_REFERER'} contains an ip address?

    If so, add in the appropriate checks.

[reply]
Re: Referer check within domain problem
by huguei (Scribe) on Nov 22, 2002 at 16:39 UTC

    Try to check case-insensitive:
    if ( $referer !~ /^$good_url/i && ...

    some proxies move the urls to uppercases. Your users don't uses proxies, but maybe some browser do the uppercase transformation ??

[reply]
Re: Referer check within domain problem
by jerrygarciuh (Curate) on Nov 22, 2002 at 16:51 UTC
    OK, slapping myself with the trout of foolishness! No one had ever mentioned that the .com and .net addies are also owned and active.
    Humbly,
    jg
    _____________________________________________________
    "The man who grasps principles can successfully select his own methods.
    The man who tries methods, ignoring principles, is sure to have trouble.
    ~ Ralph Waldo Emerson
[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://215142]
Approved by Mr. Muskrat
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (4)
As of 2024-04-24 06:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found