my $remote = $ENV{REMOTE_ADDR};
return(0) unless grep /$remote/, @$hosts;
[download]

Update: See merlyn's reply on how to do this right.

-- Dan

my $remote = $ENV{REMOTE_ADDR};
return(0) unless grep /$remote/, @$hosts;
[download]

No, because the point is that you're using a regex where you want an exact match, and it's not anchored either!

This is better:

my $remote = $ENV{REMOTE_ADDR};
return 0 unless grep $remote eq $_, @$hosts;
[download]

wouldn't taint have caught this? He's trusting user supplied data (DNS name) in an unsafe way.

No, because simply doing a regex match isn't considered "external" enough for tainted data to abort it.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Nice! I would like to see what your comments are about 90% of the other 'anti-leech' scripts out there. None of the scripts that I have seen have any taint checking nor 'use strict.'

What problem exactly were you trying to solve again?

The problem I want to solve is to stop other sites from using my bandwidth; they can link to my images, or zip files from their site, hence using my bandwidth for downloading files. This is not an 'authorization' issue. I also cannot use an Apache module since I do not have root access because my ISP is rather strict about who gets root access.

These two lines form the 'gatekeeper' aspect of the sub:

my $remote = remote_host();
return(0) unless grep /$remote/, @$hosts;
[download]

my $remote = remote_host();
# a domain or an ip can be letters or numbers seperated
# with '.' and there must be at least one char followed
# by a '.' with at least one char following
$remote =~ /([A-Za-z0-9\.]*[A-Za-z0-9]+\.[A-Za-z0-9]+)/;
return (0) unless length($remote) > 3;
return (0) unless grep /$remote/, @$hosts;
[download]

--
hiseldl
What time is it? It's Camel Time!

A few points:
• You didn't say you were in an environment where you don't really have a webservice. I'd consider any provider that doesn't let you control access lists to be a very crippled one. Find another. There are hundreds, at all price ranges.

• I haven't tested this yet, but am I on the right track?

  I've already answered a better solution for the remote match in another node in this thread. The real point is that you don't need a regex, so stop using it!

• $remote =~ /([A-Za-z0-9\.]*[A-Za-z0-9]+\.[A-Za-z0-9]+)/;
  [download]

  This is not a good regex to match a hostname. You left out the hyphens, for example. At least you didn't use \w like so many do, incorrectly adding underscore to the mix. You get points for that. {grin}
• You really don't want to send the file yourself. What you need is to just do an internal redirect to a URL that you keep secret, as in:

  my @GOODLIST = qw(10.0.1.5 10.0.2.1);
  use CGI qw(:all); use strict;
  for my $remote_addr (remote_addr()) {
    if (grep $remote_addr, @GOODLIST) {
      print redirect ("/secret/URL/here/foo.thingy");
    } else {
      print header ( status => 404 ),
        start_html( 'error' ),
        "The resource you tried to access is not found",
        end_html;
    }
  }
  [download]

  There. That's your whole program. Short and sweet.
• Of course, you can bypass all this nonsense, and simply give out the secret URL to your friends, and change it from time to time. The URL acts as a password. Be sure you don't link to it anywhere, and the directory that it's in must have indexing turned off, or an index.html to keep people from guessing. I've got a directory like that at http://www.stonehenge.com/pic/ that I use for semi-private publishing, such as when I'm publishing one of my columns for review here.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.