Re: •Re: anti leech CGI

While true that reinventing the wheel is a bad idea, wouldn't this work ok if it were just IP based?:

my $remote = $ENV{REMOTE_ADDR};
return(0) unless grep /$remote/, @$hosts;
[download]

BTW, wouldn't taint have caught this? He's trusting user supplied data (DNS name) in an unsafe way.

Update: See merlyn's reply on how to do this right.

Comment on Re: •Re: anti leech CGI Download Code

Replies are listed 'Best First'.
•Re: Re: •Re: anti leech CGI by merlyn (Sage) on Oct 30, 2002 at 15:41 UTC
`my $remote = $ENV{REMOTE_ADDR}; return(0) unless grep /$remote/, @$hosts;` [download] No, because the point is that you're using a regex where you want an exact match, and it's not anchored either! This is better: `my $remote = $ENV{REMOTE_ADDR}; return 0 unless grep $remote eq $_, @$hosts;` [download] wouldn't taint have caught this? He's trusting user supplied data (DNS name) in an unsafe way. No, because simply doing a regex match isn't considered "external" enough for tainted data to abort it. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l] [select]

Replies are listed 'Best First'.

•Re: Re: •Re: anti leech CGI
by merlyn (Sage) on Oct 30, 2002 at 15:41 UTC

my $remote = $ENV{REMOTE_ADDR};
return(0) unless grep /$remote/, @$hosts;
[download]

This is better:

my $remote = $ENV{REMOTE_ADDR};
return 0 unless grep $remote eq $_, @$hosts;
[download]

wouldn't taint have caught this? He's trusting user supplied data (DNS name) in an unsafe way.