devslashneil has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,

I have written a mailusers CGI script used to list and manage email addresses in the mailman databases.

It is crucial for my system that this script can only accept GET data from two IP addresses e.g Our Web Server and the box that it is running on (posting to itself)
However when a GET request is made from another ip address, no data must be displayed and no changes made.

I was wondering how i would go about getting the ip address calling the script?
Is there a library for this? Or does this needed to be coded by hand etc?

Any help would be appreciated

Neil Archibald - /dev/IT -

Replies are listed 'Best First'.
Re: CGI IP Based Security
by submersible_toaster (Chaplain) on Jun 24, 2003 at 02:59 UTC

    Do you have access to the webserver configuration? Like being able to tell apache via httpd.conf to .. 

    Order Deny,Allow
Deny from all
Allow from myservername.here.com
Allow from localhost

    [download]
    Would seem to obviate the need for any IP sec logic in your code

    Update:Of course if you MUST do it with the script, for instance to display a 'friendly' warning rather than a 500 Forbidden, using the CGI query object from CGI.pm you can... 

    my $q = CGI->new();
my $remote_host = $q->remote_host();

    [download]

    I can't believe it's not psellchecked
[reply]
[d/l]
[select]
      You can also frequently do this from a .htaccess file.

      The Allow from localhost type stuff mentioned above, that is...

[reply]
      I am not the admin of this box. I have root access but /etc/apache/http.conf does not exist, which leaves me stumped on web configuration.

      /etc/apache/http.conf.example exists however and apache is the running webserver.

      As a matter of interest it would be nice to know how to impliment IP checks in CGI anyway.
      :) Neil Archibald - /dev/IT -
[reply]
        By printing out the value of $remote_host i've realized that this method will be fine when i initially run the script GETing data from the trusted IP.
        However, when the script calls itself (e.g a "next page" button to browse data) The $remote_host is set to the user, and the user is unable to progress.

        Is there any way for the script to detect how it has been called. e.g If it has passed GET data to itself, or if the GET data came from somewhere else?

        Thanks submersible_toaster for all your help so far :)

        Neil Archibald - /dev/IT -
[reply]
Re: CGI IP Based Security
by devslashneil (Friar) on Jun 24, 2003 at 06:30 UTC
    My fix for the problem was to use: 
    my $remote_host = $q->remote_host();
my $referer = $q->referer();
if(
  ($referer =~ /admin\/mynameofreferingscript/)||
  ($remote_host =~ 203.x.x.x/)
  )
{
  display_page();
}
else {
  display_error();
}

    [download]
    I am aware that this could easily be beaten by working out the name of the admin page, then creating your own referer page and making a link which passes &tmp=$myscriptname to the original file, along with the desired arguments.

    But i feel this risk is worth taking. :)
    Neil Archibald - /dev/IT -
[reply]
[d/l]
Re: CGI IP Based Security
by cfreak (Chaplain) on Jun 24, 2003 at 15:48 UTC

    While the webserver level blocks are probably best, if you don't have access/can't, I would do it like this:

    # untested!
# a hash of IPs you want to allow
my %allow = (
     '127.0.0.1' => 1,
     '10.1.1.1'  => 1,
      # etc ...
);

unless($allow{ $ENV{REMOTE_ADDR} }) {
     die "Permission denied for $ENV{REMOTE_ADDR}\n";
}

    [download]

    Hope that helps

    Lobster Aliens Are attacking the world!
[reply]
[d/l]

Back to Seekers of Perl Wisdom