in reply to HTTP::Daemon Security Question

I don't think it's secure in the way you think. Just because you use localhost as the server address, dosn't mean it won't accept connections from the internet.

You can add some more safety though. I havn't tested this, but the perldoc says that "The "HTTP::Daemon::ClientConn" is a "IO::Socket::INET" subclass.". So you should be able to use IO::Socket::INET's peeraddr to get the address of the client 

my $peeraddress = $c->peeraddr();
# check if they are in an allowed list

[download]
I'm not really a human, but I play one on earth Remember How Lucky You Are

Replies are listed 'Best First'.
Re^2: HTTP::Daemon Security Question
by Crackers2 (Parson) on Jan 06, 2009 at 18:12 UTC
    Just because you use localhost as the server address, dosn't mean it won't accept connections from the internet.
    I think you're wrong about that. I just did a quick check and when using localhost as server address, netstat shows 
    [user@rack tmp]$ sudo netstat -tnlp | grep :80
tcp        0      0 127.0.0.1:80              0.0.0.0:*               
+    LISTEN      6634/perl

    [download]
    which means it will only accept connections coming in on the localhost IP. Packets going to port 80 from the external IP won't reach this server.
[reply]
[d/l]
      which means it will only accept connections coming in on the localhost IP. Packets going to port 80 from the external IP won't reach this server.

      That's true as far as it goes, but it would still be a good idea to check the remote address.

      It's possible, depending on your system config, to get a packet coming from the outside aimed at 127.0.0.1. And of course there's no guarantee that the system you're running on hasn't been misconfigured so that 'localhost' ends up giving you an accessible IP.

[reply]
        Good point on the localhost configuration. I probably should do a check that localhost is properly configured and pointing to the right place. Thank you.
[reply]

In Section Seekers of Perl Wisdom