Loading ...
Sorry, an error occurred while loading the content.
 

Re: [PBML] Script security.

Expand Messages
  • Doug Wells
    You should be able to access the environmental variable HTTP_REFERER in the ENV hash. $ENV{ HTTP_REFERER } Good luck Doug ...
    Message 1 of 13 , Apr 2, 2001
      You should be able to access the environmental
      variable HTTP_REFERER in the ENV hash.

      $ENV{'HTTP_REFERER'}

      Good luck

      Doug

      --- Franki <frankieh@...> wrote:
      > Hi all,
      >
      > I have a question that is alot more relivent then
      > most of mine :-)
      >
      > I have two scripts, one generates lots of html
      > forms.. (called man.cgi)
      > in one of those forms, is a mini form that opens a
      > popup window via JS and
      > calls the second script in it.
      >
      > what I want to do, is have it so that the second
      > script cannot be called on
      > its own, it has to be called by man.cgi in the
      > method above...
      >
      > I got no idea how to get it to do that.
      >
      > I thought maybe some way of checking refferer?
      >
      >
      > can anyone make any suestions?
      >
      >
      > kindest regards
      >
      >
      >
      > Frank Hauptle
      > ----/ / _
      > ---/ / (_)__ __ ____ __
      > --/ /__/ / _ \/ // /\ \/ /
      > -/____/_/_//_/\_,_/ /_/\_\
      > Gshop & Network Payment Solutions.
      >
      >


      __________________________________________________
      Do You Yahoo!?
      Get email at your own domain with Yahoo! Mail.
      http://personal.mail.yahoo.com/?.refer=text
    • Franki
      yeah, I tried that, but because the script is printing a form with a onClick= window.open( ect ect ) that opens the second script in the popup window, the
      Message 2 of 13 , Apr 2, 2001
        yeah, I tried that, but because the script is printing a form with a
        onClick="window.open('ect ect')
        that opens the second script in the popup window, the referer doesn't output
        any results.

        can I change the above so that it will work? (I'd like to keep the button,
        instead of a html link if possible.)

        regards

        Frank Hauptle
        ----/ / _
        ---/ / (_)__ __ ____ __
        --/ /__/ / _ \/ // /\ \/ /
        -/____/_/_//_/\_,_/ /_/\_\
        Gshop & Network Payment Solutions.

        -----Original Message-----
        From: Doug Wells [mailto:dougawells@...]
        Sent: Tuesday, 3 April 2001 2:02 AM
        To: perl-beginner@yahoogroups.com
        Subject: Re: [PBML] Script security.


        You should be able to access the environmental
        variable HTTP_REFERER in the ENV hash.

        $ENV{'HTTP_REFERER'}

        Good luck

        Doug

        --- Franki <frankieh@...> wrote:
        > Hi all,
        >
        > I have a question that is alot more relivent then
        > most of mine :-)
        >
        > I have two scripts, one generates lots of html
        > forms.. (called man.cgi)
        > in one of those forms, is a mini form that opens a
        > popup window via JS and
        > calls the second script in it.
        >
        > what I want to do, is have it so that the second
        > script cannot be called on
        > its own, it has to be called by man.cgi in the
        > method above...
        >
        > I got no idea how to get it to do that.
        >
        > I thought maybe some way of checking refferer?
        >
        >
        > can anyone make any suestions?
        >
        >
        > kindest regards
        >
        >
        >
        > Frank Hauptle
        > ----/ / _
        > ---/ / (_)__ __ ____ __
        > --/ /__/ / _ \/ // /\ \/ /
        > -/____/_/_//_/\_,_/ /_/\_\
        > Gshop & Network Payment Solutions.
        >
        >


        __________________________________________________
        Do You Yahoo!?
        Get email at your own domain with Yahoo! Mail.
        http://personal.mail.yahoo.com/?.refer=text




        Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
      • Damien Carbery
        How about some Javascript... something like the following in the code for the pop(ed) up window: if ( document.referer != http://www.... ) self.close();
        Message 3 of 13 , Apr 2, 2001
          How about some Javascript... something like the following in the code
          for the pop(ed) up window:

          if ( document.referer != "http://www...." )
          self.close(); // Close oneself.

          I don't remember the exact commands, and you may want to do different
          document.referer checks e.g. only search for a document name or a
          portion of the domain name.

          --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
          > yeah, I tried that, but because the script is printing a form with a
          > onClick="window.open('ect ect')
          > that opens the second script in the popup window, the referer
          doesn't output
          > any results.
          >
          > can I change the above so that it will work? (I'd like to keep the
          button,
          > instead of a html link if possible.)
          >
          > regards
          >
          > Frank Hauptle
          > ----/ / _
          > ---/ / (_)__ __ ____ __
          > --/ /__/ / _ \/ // /\ \/ /
          > -/____/_/_//_/\_,_/ /_/\_\
          > Gshop & Network Payment Solutions.
          >
          > -----Original Message-----
          > From: Doug Wells [mailto:dougawells@y...]
          > Sent: Tuesday, 3 April 2001 2:02 AM
          > To: perl-beginner@y...
          > Subject: Re: [PBML] Script security.
          >
          >
          > You should be able to access the environmental
          > variable HTTP_REFERER in the ENV hash.
          >
          > $ENV{'HTTP_REFERER'}
          >
          > Good luck
          >
          > Doug
          >
          > --- Franki <frankieh@v...> wrote:
          > > Hi all,
          > >
          > > I have a question that is alot more relivent then
          > > most of mine :-)
          > >
          > > I have two scripts, one generates lots of html
          > > forms.. (called man.cgi)
          > > in one of those forms, is a mini form that opens a
          > > popup window via JS and
          > > calls the second script in it.
          > >
          > > what I want to do, is have it so that the second
          > > script cannot be called on
          > > its own, it has to be called by man.cgi in the
          > > method above...
          > >
          > > I got no idea how to get it to do that.
          > >
          > > I thought maybe some way of checking refferer?
          > >
          > >
          > > can anyone make any suestions?
          > >
          > >
          > > kindest regards
          > >
          > >
          > >
          > > Frank Hauptle
          > > ----/ / _
          > > ---/ / (_)__ __ ____ __
          > > --/ /__/ / _ \/ // /\ \/ /
          > > -/____/_/_//_/\_,_/ /_/\_\
          > > Gshop & Network Payment Solutions.
          > >
          > >
          >
          >
          > __________________________________________________
          > Do You Yahoo!?
          > Get email at your own domain with Yahoo! Mail.
          > http://personal.mail.yahoo.com/?.refer=text
          >
          >
          >
          >
          > Your use of Yahoo! Groups is subject to
          http://docs.yahoo.com/info/terms/
        • Franki
          yeah, I thought about that too, but basically, its to stop an upload script from being accessed from anyone not doing so through the other perl script, because
          Message 4 of 13 , Apr 2, 2001
            yeah, I thought about that too,

            but basically, its to stop an upload script from being accessed from anyone
            not doing so through the other perl script, because the other perl script
            has password and .htaccess protection and I thought it would be cool if the
            script could itself determine from where it was accessed and if it wasn't
            the other script it shouldn't work.

            I suppose its not hugely important that it do that, because that script is
            also protected by htaccess. but I am of the opinion that if I am paranoid
            all the time, sooner or later it will be justified at least once.

            I considered having the parent script set a cookie after login, and have the
            second script detect that cookie and if its not present, to exit... but
            again, thats not much better then the JS version. and has no functionality
            if the user has cookies disabled.

            so the last answer I came up with, is for the parent script to write the
            users IP address to a file, and then when the child script is run, it tries
            to match the IP address with the user trying to access the child script..

            That is the best answer I could come up with failing a solution to the http
            referer method.

            Frank Hauptle
            ----/ / _
            ---/ / (_)__ __ ____ __
            --/ /__/ / _ \/ // /\ \/ /
            -/____/_/_//_/\_,_/ /_/\_\
            Gshop & Network Payment Solutions.

            -----Original Message-----
            From: Damien Carbery [mailto:daymobrew@...]
            Sent: Tuesday, 3 April 2001 2:20 AM
            To: perl-beginner@yahoogroups.com
            Subject: Re: [PBML] Script security.


            How about some Javascript... something like the following in the code
            for the pop(ed) up window:

            if ( document.referer != "http://www...." )
            self.close(); // Close oneself.

            I don't remember the exact commands, and you may want to do different
            document.referer checks e.g. only search for a document name or a
            portion of the domain name.

            --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
            > yeah, I tried that, but because the script is printing a form with a
            > onClick="window.open('ect ect')
            > that opens the second script in the popup window, the referer
            doesn't output
            > any results.
            >
            > can I change the above so that it will work? (I'd like to keep the
            button,
            > instead of a html link if possible.)
            >
            > regards
            >
            > Frank Hauptle
            > ----/ / _
            > ---/ / (_)__ __ ____ __
            > --/ /__/ / _ \/ // /\ \/ /
            > -/____/_/_//_/\_,_/ /_/\_\
            > Gshop & Network Payment Solutions.
            >
            > -----Original Message-----
            > From: Doug Wells [mailto:dougawells@y...]
            > Sent: Tuesday, 3 April 2001 2:02 AM
            > To: perl-beginner@y...
            > Subject: Re: [PBML] Script security.
            >
            >
            > You should be able to access the environmental
            > variable HTTP_REFERER in the ENV hash.
            >
            > $ENV{'HTTP_REFERER'}
            >
            > Good luck
            >
            > Doug
            >
            > --- Franki <frankieh@v...> wrote:
            > > Hi all,
            > >
            > > I have a question that is alot more relivent then
            > > most of mine :-)
            > >
            > > I have two scripts, one generates lots of html
            > > forms.. (called man.cgi)
            > > in one of those forms, is a mini form that opens a
            > > popup window via JS and
            > > calls the second script in it.
            > >
            > > what I want to do, is have it so that the second
            > > script cannot be called on
            > > its own, it has to be called by man.cgi in the
            > > method above...
            > >
            > > I got no idea how to get it to do that.
            > >
            > > I thought maybe some way of checking refferer?
            > >
            > >
            > > can anyone make any suestions?
            > >
            > >
            > > kindest regards
            > >
            > >
            > >
            > > Frank Hauptle
            > > ----/ / _
            > > ---/ / (_)__ __ ____ __
            > > --/ /__/ / _ \/ // /\ \/ /
            > > -/____/_/_//_/\_,_/ /_/\_\
            > > Gshop & Network Payment Solutions.
            > >
            > >
            >
            >
            > __________________________________________________
            > Do You Yahoo!?
            > Get email at your own domain with Yahoo! Mail.
            > http://personal.mail.yahoo.com/?.refer=text
            >
            >
            >
            >
            > Your use of Yahoo! Groups is subject to
            http://docs.yahoo.com/info/terms/





            Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
          • Mike Payne
            If someone really wanted to bypass it, they could just turn javascript off, especially considering the fact that unless the window was opened by a javascript
            Message 5 of 13 , Apr 2, 2001
              If someone really wanted to bypass it, they could just turn javascript off,
              especially considering the fact that unless the window was opened by a
              javascript command(which it wouldn't be if they cut/pasted the url), it asks
              for a confirmation to close the window, which you can just deny and then the
              code is useless.

              -Mike


              -----Original Message-----
              From: Damien Carbery [mailto:daymobrew@...]
              Sent: Monday, April 02, 2001 2:20 PM
              To: perl-beginner@yahoogroups.com
              Subject: Re: [PBML] Script security.


              How about some Javascript... something like the following in the code
              for the pop(ed) up window:

              if ( document.referer != "http://www...." )
              self.close(); // Close oneself.

              I don't remember the exact commands, and you may want to do different
              document.referer checks e.g. only search for a document name or a
              portion of the domain name.

              --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
              > yeah, I tried that, but because the script is printing a form with a
              > onClick="window.open('ect ect')
              > that opens the second script in the popup window, the referer
              doesn't output
              > any results.
              >
              > can I change the above so that it will work? (I'd like to keep the
              button,
              > instead of a html link if possible.)
              >
              > regards
              >
              > Frank Hauptle
              > ----/ / _
              > ---/ / (_)__ __ ____ __
              > --/ /__/ / _ \/ // /\ \/ /
              > -/____/_/_//_/\_,_/ /_/\_\
              > Gshop & Network Payment Solutions.
              >
              > -----Original Message-----
              > From: Doug Wells [mailto:dougawells@y...]
              > Sent: Tuesday, 3 April 2001 2:02 AM
              > To: perl-beginner@y...
              > Subject: Re: [PBML] Script security.
              >
              >
              > You should be able to access the environmental
              > variable HTTP_REFERER in the ENV hash.
              >
              > $ENV{'HTTP_REFERER'}
              >
              > Good luck
              >
              > Doug
              >
              > --- Franki <frankieh@v...> wrote:
              > > Hi all,
              > >
              > > I have a question that is alot more relivent then
              > > most of mine :-)
              > >
              > > I have two scripts, one generates lots of html
              > > forms.. (called man.cgi)
              > > in one of those forms, is a mini form that opens a
              > > popup window via JS and
              > > calls the second script in it.
              > >
              > > what I want to do, is have it so that the second
              > > script cannot be called on
              > > its own, it has to be called by man.cgi in the
              > > method above...
              > >
              > > I got no idea how to get it to do that.
              > >
              > > I thought maybe some way of checking refferer?
              > >
              > >
              > > can anyone make any suestions?
              > >
              > >
              > > kindest regards
              > >
              > >
              > >
              > > Frank Hauptle
              > > ----/ / _
              > > ---/ / (_)__ __ ____ __
              > > --/ /__/ / _ \/ // /\ \/ /
              > > -/____/_/_//_/\_,_/ /_/\_\
              > > Gshop & Network Payment Solutions.
              > >
              > >
              >
              >
              > __________________________________________________
              > Do You Yahoo!?
              > Get email at your own domain with Yahoo! Mail.
              > http://personal.mail.yahoo.com/?.refer=text
              >
              >
              >
              >
              > Your use of Yahoo! Groups is subject to
              http://docs.yahoo.com/info/terms/





              Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
            • Franki
              yup, thats exactly why I caned that idea. I want it so that if the user tries to log directly into the child script, it checks to see where the user came from,
              Message 6 of 13 , Apr 2, 2001
                yup, thats exactly why I caned that idea.

                I want it so that if the user tries to log directly into the child script,
                it checks to see where the user came from, and if not the parent script, it
                exits. the two methods I know would work, would be the http referer, or
                having the parent script write the users IP to file, and then require that
                file in the child script and attempt to match IP's, if no match, then it
                exits...



                Frank Hauptle
                ----/ / _
                ---/ / (_)__ __ ____ __
                --/ /__/ / _ \/ // /\ \/ /
                -/____/_/_//_/\_,_/ /_/\_\
                Gshop & Network Payment Solutions.

                -----Original Message-----
                From: Mike Payne [mailto:theseus@...]
                Sent: Tuesday, 3 April 2001 2:24 AM
                To: perl-beginner@yahoogroups.com
                Subject: RE: [PBML] Script security.


                If someone really wanted to bypass it, they could just turn javascript off,
                especially considering the fact that unless the window was opened by a
                javascript command(which it wouldn't be if they cut/pasted the url), it asks
                for a confirmation to close the window, which you can just deny and then the
                code is useless.

                -Mike


                -----Original Message-----
                From: Damien Carbery [mailto:daymobrew@...]
                Sent: Monday, April 02, 2001 2:20 PM
                To: perl-beginner@yahoogroups.com
                Subject: Re: [PBML] Script security.


                How about some Javascript... something like the following in the code
                for the pop(ed) up window:

                if ( document.referer != "http://www...." )
                self.close(); // Close oneself.

                I don't remember the exact commands, and you may want to do different
                document.referer checks e.g. only search for a document name or a
                portion of the domain name.

                --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
                > yeah, I tried that, but because the script is printing a form with a
                > onClick="window.open('ect ect')
                > that opens the second script in the popup window, the referer
                doesn't output
                > any results.
                >
                > can I change the above so that it will work? (I'd like to keep the
                button,
                > instead of a html link if possible.)
                >
                > regards
                >
                > Frank Hauptle
                > ----/ / _
                > ---/ / (_)__ __ ____ __
                > --/ /__/ / _ \/ // /\ \/ /
                > -/____/_/_//_/\_,_/ /_/\_\
                > Gshop & Network Payment Solutions.
                >
                > -----Original Message-----
                > From: Doug Wells [mailto:dougawells@y...]
                > Sent: Tuesday, 3 April 2001 2:02 AM
                > To: perl-beginner@y...
                > Subject: Re: [PBML] Script security.
                >
                >
                > You should be able to access the environmental
                > variable HTTP_REFERER in the ENV hash.
                >
                > $ENV{'HTTP_REFERER'}
                >
                > Good luck
                >
                > Doug
                >
                > --- Franki <frankieh@v...> wrote:
                > > Hi all,
                > >
                > > I have a question that is alot more relivent then
                > > most of mine :-)
                > >
                > > I have two scripts, one generates lots of html
                > > forms.. (called man.cgi)
                > > in one of those forms, is a mini form that opens a
                > > popup window via JS and
                > > calls the second script in it.
                > >
                > > what I want to do, is have it so that the second
                > > script cannot be called on
                > > its own, it has to be called by man.cgi in the
                > > method above...
                > >
                > > I got no idea how to get it to do that.
                > >
                > > I thought maybe some way of checking refferer?
                > >
                > >
                > > can anyone make any suestions?
                > >
                > >
                > > kindest regards
                > >
                > >
                > >
                > > Frank Hauptle
                > > ----/ / _
                > > ---/ / (_)__ __ ____ __
                > > --/ /__/ / _ \/ // /\ \/ /
                > > -/____/_/_//_/\_,_/ /_/\_\
                > > Gshop & Network Payment Solutions.
                > >
                > >
                >
                >
                > __________________________________________________
                > Do You Yahoo!?
                > Get email at your own domain with Yahoo! Mail.
                > http://personal.mail.yahoo.com/?.refer=text
                >
                >
                >
                >
                > Your use of Yahoo! Groups is subject to
                http://docs.yahoo.com/info/terms/





                Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/







                Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
              • Chanda Adams
                is there a command that will simply add the date to a cgi script that will be emailed? I know it s on the email, but in the form would be handy. Thanks!
                Message 7 of 13 , Apr 2, 2001
                  is there a command that will simply add the date to a cgi script that will
                  be emailed? I know it's on the email, but in the form would be handy.

                  Thanks!
                  Chanda

                  --
                  Chanda Adams
                  adams@...
                • Damien Carbery
                  #!/usr/local/bin/perl -w use strict; my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday ) = localtime(); $yday = sprintf( %02d:%02d:%02d %02d-%02d-%4d ,
                  Message 8 of 13 , Apr 2, 2001
                    #!/usr/local/bin/perl -w

                    use strict;

                    my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday ) =
                    localtime();

                    $yday = sprintf( "%02d:%02d:%02d %02d-%02d-%4d", $hour, $min,
                    $sec, $mday, $mon, $year + 1900 );
                    print $yday;

                    __END__
                    I know the call to localtime() could be simplified.
                    I used sprintf() because I read it is more efficient than printf but,
                    of course, I can't find where I read this.

                    Now you have the info, you can print it with your CGI/HTML output as
                    normal.

                    --- In perl-beginner@y..., Chanda Adams <adams@g...> wrote:
                    >
                    > is there a command that will simply add the date to a cgi script
                    that will
                    > be emailed? I know it's on the email, but in the form would be
                    handy.
                    >
                    > Thanks!
                    > Chanda
                    >
                    > --
                    > Chanda Adams
                    > adams@g...
                  Your message has been successfully submitted and would be delivered to recipients shortly.