Gossamer Forum
(Advanced Search)
for
Home : General : Perl Programming :

how to prevent outside use

May 21, 1999, 6:44 AM
Hieu
Novice (8 posts)
May 21, 1999, 6:44 AM
Post #1 of 7
Views: 5234
Shortcut
Quote Reply
how to prevent outside use
We got this part of code which is supposed to protect the script from working when invoked out of our own domain:

However....
#########
#Valid page

$DN=$ENV{'HTTP_REFERER'};
if ($DN eq "") {
print "Sorry You can't run this script from this page\n";
exit;
}

$DN =~ tr/A-Z/a-z/;

if ($DN =~ /nonsong.org/i) {
$stayin=1;
}
else {
print "Sorry You can't run this script from this page\n";
exit;
}
########

However, another person can simply load a page with name : nonsong.org.html
and is able to use our script.

Please let us know if you have fix to this.

Thank you for your time.
May 24, 1999, 5:34 PM
ChrisE
User (68 posts)
May 24, 1999, 5:34 PM
Post #2 of 7
Views: 5067
Shortcut
Quote Reply
Re: how to prevent outside use In reply to
Have you tried $ENV{'SERVER_NAME'} instead of $ENV{'HTTP_REFERER'}? Example:

Code:
$DN=$ENV{SERVER_NAME};
if ($DN eq 'www.nonsong.org') {
$stayin=1;
}
else {
print "Sorry You can't run this script from this page\n";
exit;
}

Hope this helps,
Chris



------------------
webmaster@racedaze.com
May 24, 1999, 6:12 PM
Hieu
Novice (8 posts)
May 24, 1999, 6:12 PM
Post #3 of 7
Views: 5067
Shortcut
Quote Reply
Re: how to prevent outside use In reply to
Thanks a lot Chris!
May 25, 1999, 2:49 AM
Bobsie
Veteran (3111 posts)
Bobsie's avatar
May 25, 1999, 2:49 AM
Post #4 of 7
Views: 5081
Shortcut
Quote Reply
Re: how to prevent outside use In reply to
Problem, $ENV{SERVER_NAME} returns the name of the host server the script is running on, not the name of the server the user is on. Therefore, it will always return true and will not prevent access as is desired.

Quote:
However, another person can simply load a page with name : nonsong.org.html and is able to use our script.

Try changing the line:

Quote:
if ($DN =~ /nonsong.org/i) {

to read:

Quote:
if (($DN =~ "http://nonsong.org") or ($DN =~ "http://www.nonsong.org")) {

I hope this helps.
May 25, 1999, 10:48 AM
Hieu
Novice (8 posts)
May 25, 1999, 10:48 AM
Post #5 of 7
Views: 5060
Shortcut
Quote Reply
Re: how to prevent outside use In reply to
Funny thing, according to Bobsie, the code Chris gave should work no matter where my script is called from.

However when I tried Chris version it made the script unusable completely. EVEN when I was calling the script from my own server.

I tried Bobsie code and it works fine.

Now I am interested in knowing why Chris code totally prevents the script from being called ?

[This message has been edited by Hieu (edited May 25, 1999).]
May 25, 1999, 11:37 AM
dahamsta
User (429 posts)
May 25, 1999, 11:37 AM
Post #6 of 7
Views: 5083
Shortcut
Quote Reply
Re: how to prevent outside use In reply to
The SERVER_NAME environment variable gets exactly that, the server name, but it's the server that the script is on. That's why you have to check HTTP_REFERER, which will be the page the user comes from.

Here's some sample code to check from an array of allowed referers. Your array should contain both "yourdomain.com" and "www.yourdomain.com", and any other domains that are allowed to use this script, like this:

referers = ("www.yourdomain.com","yourdomain.com","another.domain.com");

And here's the code:

Code:
sub check_referer {
# Localize the check_referer flag which determines if user is valid.
local($check_referer) = 0;
# If a referring URL was specified, for each valid referer, make sure
# that a valid referring URL was passed to the script.
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 1;
}
# If the HTTP_REFERER was invalid, send back an error.
if ($check_referer != 1) {
print "Content-type: text/html\n\n";
print "ERROR: Your domain is not authorized to use this script.";
}
}

You can lose the array altogether, using a regex to strip the "www.", and remove the foreach loop, but it's just as handy to leave it in, in case you wanted to add other allowed referer's later.

One point about using HTTP_REFERER in this capacity, users won't be able to bookmark your script. If they do, they won't have a valid referer, so they'll get the error message.

Cheers,
adam

[This message has been edited by dahamsta (edited May 25, 1999).]
May 25, 1999, 3:56 PM
Alex
Administrator (9387 posts)
May 25, 1999, 3:56 PM
Post #7 of 7
Views: 5079
Shortcut
Quote Reply
Re: how to prevent outside use In reply to
Another point about HTTP_REFERER, it only prevents casual browsing. Since the referer is provided by the browser, you can't trust it to be accurate. It's very easy to forge a referer header and get access.

If you want to block, I would recommend using Apache and block by IP address or IP range.

Cheers,

Alex