Gossamer Forum: General: Perl Programming: Is this correct?

Jul 20, 2005, 6:46 PM

socrates

Enthusiast (832 posts)

Jul 20, 2005, 6:46 PM

Post #1 of 4

Shortcut

Is this correct?

I was looking for a referrer checker and I found the following in matt's formmail script but isn't there an error?

Code:
sub check_url { 

    # Localize the check_referer flag which determines if user is valid.     # 
    local($check_referer) = 0; 

    # If a referring URL was specified, for each valid referer, make sure    # 
    # that a valid referring URL was passed to FormMail.                     # 

    if ($ENV{'HTTP_REFERER'}) { 
        foreach $referer (@referers) { 
            if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) { 
                $check_referer = 1; 
                last; 
            } 
        } 
    } 
    else { 
        $check_referer = 1; 
    } 

    # If the HTTP_REFERER was invalid, send back an error.                   # 
    if ($check_referer != 1) { &error('bad_referer') } 
}

shouldn't the else loop be

Code:
    else { 
        $check_referer = 0; 
    }

if the referers didn't match then 0 - how can it be $check_referer = 1 in both cases?
Thanks

Last edited by:

socrates: Jul 20, 2005, 6:47 PM

Jul 20, 2005, 10:16 PM

dan

Enthusiast (760 posts)

Jul 20, 2005, 10:16 PM

Post #2 of 4

Shortcut

Re: [socrates] Is this correct? In reply to

The reason that $check_referer is set to 1 if no referer is passed is as follows. Most firewalls have the option to configure privacy to not pass referer. The vast majority of people use firewalls, and many of those have their firewalls configured for maximum privacy. So, if you did not set $check_referer to 1 in these cases, a large number of people would be denied access. But then, that opens the script to being exploited in that it could be called from another server - for example, referer is not passed if form opened in new window. But with that said, referer testing is easily exploitable in other ways. For example, referer can be very, very easily spoofed. I don't use referer checking. If the script is sensitive, I employ other methods like sessions and [Security Codes] - where user has to re-enter [Security Code] before he can submit the form. Properly done, it will prevent outside access.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

Jul 22, 2005, 10:28 PM

socrates

Enthusiast (832 posts)

Jul 22, 2005, 10:28 PM

Post #3 of 4

Shortcut

Re: [dan] Is this correct? In reply to

Quote:

Most firewalls have the option to configure privacy to not pass referer. The vast majority of people use firewalls, and many of those have their firewalls configured for maximum privacy.

Well, if the user is accessing the script on our site and is supposed to be only accessed from a link on our site, the $ENV{'HTTP_REFERER'} is something passed from our server to the script. How does the firewall come in to play and what does the firewall on his end have to do with it? All the action is on our end.

Just asking? Can Dan or someone explain this further?

Thanks

Jul 22, 2005, 11:06 PM

dan

Enthusiast (760 posts)

Jul 22, 2005, 11:06 PM

Post #4 of 4

Shortcut

Re: [socrates] Is this correct? In reply to

$ENV{'HTTP_REFERER'} environmental variable is a client-side variable defined by User Agent (e.g., browser), and not by server. User Agent passes Referer to server, which then stores as $ENV{'HTTP_REFERER'}. But if firewall configured to not pass referer, $ENV{'HTTP_REFERER'} is undefined. And, some client-side software can spoof referer, and can pass what ever the user wants to pass as referer.

User Agent passes Referer to Server
Server stores Referer as $ENV{'HTTP_REFERER'} [which can be pulled via scripts, SSI, etc.]

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln