jcpunk has asked for the wisdom of the Perl Monks concerning the following question:

I am currently working on a way to 'make sure' that data is being sent to a webform from a list of valid http referers. The problem is that it doesnt work exactly as expected.. my initial coding had a logic error in it, however, when i attempt to fix my error the script no longer runs... well it not longer runs via a web interface, the commandline is fine. as it doesnt do http referer checks. can i get some assistence on this as the corner stone of my error is when i remove an else allthings fall apart.
my @referers = ('$ips');
...
if ($#ARGV < 0)
  {
    $ENV{'REQUEST_METHOD'} =~ tr/[a-z]/[A-Z]/;
    if ($ENV{'REQUEST_METHOD'} eq 'POST') 
      {
        if(&check_url)
          {
            #get data from the web via Cgi.pm
          }
      }
    else { #if it didnt come with data then it needs a form to get it
      &form;
    }
  }
....
sub check_url
  {
      if ($ENV{'HTTP_REFERER'})
        {
          my $referer;
          foreach $referer (@referers)
            {
              if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i
+)
                {
                  return 0; 
                }
              else                       #the else
                {                        #spoken of
                  return 1;              # above
                }                        #consists of these 4 lines
            }
        } 
      html_start("ERROR!");            #the two lines i want to run
      report_error("ERROR","Source check failed");          #if invali
+d referer
    }

[download]
while i realize that this sort of check is more formality then effective (as even wget can spoof around this these days) it is a mandate for the project... so any assistance would be helpful in this. the basic goal is to make as few changes to the existing code as possible while making it actually check the reffering URLs, my logic error consisted of the fact that if the 1st thing in the list did not succeed then the whole function failed which is not the goal. but that isnt what i want to happen, just failure if none of the possibles are matched

jcpunk

by the way thanks for all the help that was, is, and will be

Replies are listed 'Best First'.
Re: http referers, if, else and failures
by grep (Monsignor) on Jun 24, 2003 at 21:23 UTC
    You have another problem besides returning on the first try. In your code if https://securesite.com is a good refererer then http://securesite.com is also good. Unless that is what you wanted, but you didn't state that.

    try using grep and lc and test for equality 

    #!/usr/local/bin/perl -w
use strict;

my @referers = qw| https://www.imdb.com http://www.yoda-speak.org |;

$ENV{HTTP_REFERER} = 'http://www.yoda-speak.org';
print  check_url($ENV{HTTP_REFERER},@referers) , "\n";

$ENV{HTTP_REFERER} = 'https://www.imdb.com';
print  check_url($ENV{HTTP_REFERER},@referers) , "\n";

$ENV{HTTP_REFERER} = 'http://badsite.net';
print  check_url($ENV{HTTP_REFERER},@referers) , "\n";


sub check_url {
    my $http_referer = shift;
    my @referers = @_;
    return scalar(grep ( lc($http_referer) eq lc($_) , @referers ));
}

    [download]


    grep
    Mynd you, mønk bites Kan be pretti nasti...
[reply]
[d/l]
[select]
Re: http referers, if, else and failures
by waswas-fng (Curate) on Jun 24, 2003 at 21:53 UTC
    HTTP_REFERER is not trustworthy in at least two ways. First, it can be forged. Secondly, you can't rely on it being set. View it as a peice of information that while may be interesting is not very useful.

    -Waswas
[reply]
      How can HTTP_REFERER be forged? And if it is not trustworthy what is the best way to learn from where the visitor comes to my website? Is this possible? I'll be glad if you can enlighten me.
[reply]
        I am not going into forging HTTP_REFERER, if interested search google for "forge HTTP REFERER" and see that is a client sent http header. As for verifying the location that linked to your side you can perform many veriations of this including the page that refers to you calling a ssi script that talks to youtr host and generates a session url to show as the link. really there are tons of ways this can be done securly -- lol look at how porn sites do it.

        -Waswas
[reply]
Re: http referers, if, else and failures
by Tomte (Priest) on Jun 24, 2003 at 21:10 UTC

    First observation: my @referers = ('$ips'); $ips doesn't get interpolated, as it stands in single-quotes. I wonder if you meant 

    my @referers = @$ips;

    [download]
    or something like that.

    regards,
    tomte

    Hlade's Law:

    If you have a difficult task, give it to a lazy person --
    they will find an easier way to do it.

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom