Loading ...
Sorry, an error occurred while loading the content.

RE: [PBML] Script security.

Expand Messages
  • Franki
    yeah, I tried that, but because the script is printing a form with a onClick= window.open( ect ect ) that opens the second script in the popup window, the
    Message 1 of 13 , Apr 2, 2001
    • 0 Attachment
      yeah, I tried that, but because the script is printing a form with a
      onClick="window.open('ect ect')
      that opens the second script in the popup window, the referer doesn't output
      any results.

      can I change the above so that it will work? (I'd like to keep the button,
      instead of a html link if possible.)

      regards

      Frank Hauptle
      ----/ / _
      ---/ / (_)__ __ ____ __
      --/ /__/ / _ \/ // /\ \/ /
      -/____/_/_//_/\_,_/ /_/\_\
      Gshop & Network Payment Solutions.

      -----Original Message-----
      From: Doug Wells [mailto:dougawells@...]
      Sent: Tuesday, 3 April 2001 2:02 AM
      To: perl-beginner@yahoogroups.com
      Subject: Re: [PBML] Script security.


      You should be able to access the environmental
      variable HTTP_REFERER in the ENV hash.

      $ENV{'HTTP_REFERER'}

      Good luck

      Doug

      --- Franki <frankieh@...> wrote:
      > Hi all,
      >
      > I have a question that is alot more relivent then
      > most of mine :-)
      >
      > I have two scripts, one generates lots of html
      > forms.. (called man.cgi)
      > in one of those forms, is a mini form that opens a
      > popup window via JS and
      > calls the second script in it.
      >
      > what I want to do, is have it so that the second
      > script cannot be called on
      > its own, it has to be called by man.cgi in the
      > method above...
      >
      > I got no idea how to get it to do that.
      >
      > I thought maybe some way of checking refferer?
      >
      >
      > can anyone make any suestions?
      >
      >
      > kindest regards
      >
      >
      >
      > Frank Hauptle
      > ----/ / _
      > ---/ / (_)__ __ ____ __
      > --/ /__/ / _ \/ // /\ \/ /
      > -/____/_/_//_/\_,_/ /_/\_\
      > Gshop & Network Payment Solutions.
      >
      >


      __________________________________________________
      Do You Yahoo!?
      Get email at your own domain with Yahoo! Mail.
      http://personal.mail.yahoo.com/?.refer=text




      Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
    • Damien Carbery
      How about some Javascript... something like the following in the code for the pop(ed) up window: if ( document.referer != http://www.... ) self.close();
      Message 2 of 13 , Apr 2, 2001
      • 0 Attachment
        How about some Javascript... something like the following in the code
        for the pop(ed) up window:

        if ( document.referer != "http://www...." )
        self.close(); // Close oneself.

        I don't remember the exact commands, and you may want to do different
        document.referer checks e.g. only search for a document name or a
        portion of the domain name.

        --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
        > yeah, I tried that, but because the script is printing a form with a
        > onClick="window.open('ect ect')
        > that opens the second script in the popup window, the referer
        doesn't output
        > any results.
        >
        > can I change the above so that it will work? (I'd like to keep the
        button,
        > instead of a html link if possible.)
        >
        > regards
        >
        > Frank Hauptle
        > ----/ / _
        > ---/ / (_)__ __ ____ __
        > --/ /__/ / _ \/ // /\ \/ /
        > -/____/_/_//_/\_,_/ /_/\_\
        > Gshop & Network Payment Solutions.
        >
        > -----Original Message-----
        > From: Doug Wells [mailto:dougawells@y...]
        > Sent: Tuesday, 3 April 2001 2:02 AM
        > To: perl-beginner@y...
        > Subject: Re: [PBML] Script security.
        >
        >
        > You should be able to access the environmental
        > variable HTTP_REFERER in the ENV hash.
        >
        > $ENV{'HTTP_REFERER'}
        >
        > Good luck
        >
        > Doug
        >
        > --- Franki <frankieh@v...> wrote:
        > > Hi all,
        > >
        > > I have a question that is alot more relivent then
        > > most of mine :-)
        > >
        > > I have two scripts, one generates lots of html
        > > forms.. (called man.cgi)
        > > in one of those forms, is a mini form that opens a
        > > popup window via JS and
        > > calls the second script in it.
        > >
        > > what I want to do, is have it so that the second
        > > script cannot be called on
        > > its own, it has to be called by man.cgi in the
        > > method above...
        > >
        > > I got no idea how to get it to do that.
        > >
        > > I thought maybe some way of checking refferer?
        > >
        > >
        > > can anyone make any suestions?
        > >
        > >
        > > kindest regards
        > >
        > >
        > >
        > > Frank Hauptle
        > > ----/ / _
        > > ---/ / (_)__ __ ____ __
        > > --/ /__/ / _ \/ // /\ \/ /
        > > -/____/_/_//_/\_,_/ /_/\_\
        > > Gshop & Network Payment Solutions.
        > >
        > >
        >
        >
        > __________________________________________________
        > Do You Yahoo!?
        > Get email at your own domain with Yahoo! Mail.
        > http://personal.mail.yahoo.com/?.refer=text
        >
        >
        >
        >
        > Your use of Yahoo! Groups is subject to
        http://docs.yahoo.com/info/terms/
      • Franki
        yeah, I thought about that too, but basically, its to stop an upload script from being accessed from anyone not doing so through the other perl script, because
        Message 3 of 13 , Apr 2, 2001
        • 0 Attachment
          yeah, I thought about that too,

          but basically, its to stop an upload script from being accessed from anyone
          not doing so through the other perl script, because the other perl script
          has password and .htaccess protection and I thought it would be cool if the
          script could itself determine from where it was accessed and if it wasn't
          the other script it shouldn't work.

          I suppose its not hugely important that it do that, because that script is
          also protected by htaccess. but I am of the opinion that if I am paranoid
          all the time, sooner or later it will be justified at least once.

          I considered having the parent script set a cookie after login, and have the
          second script detect that cookie and if its not present, to exit... but
          again, thats not much better then the JS version. and has no functionality
          if the user has cookies disabled.

          so the last answer I came up with, is for the parent script to write the
          users IP address to a file, and then when the child script is run, it tries
          to match the IP address with the user trying to access the child script..

          That is the best answer I could come up with failing a solution to the http
          referer method.

          Frank Hauptle
          ----/ / _
          ---/ / (_)__ __ ____ __
          --/ /__/ / _ \/ // /\ \/ /
          -/____/_/_//_/\_,_/ /_/\_\
          Gshop & Network Payment Solutions.

          -----Original Message-----
          From: Damien Carbery [mailto:daymobrew@...]
          Sent: Tuesday, 3 April 2001 2:20 AM
          To: perl-beginner@yahoogroups.com
          Subject: Re: [PBML] Script security.


          How about some Javascript... something like the following in the code
          for the pop(ed) up window:

          if ( document.referer != "http://www...." )
          self.close(); // Close oneself.

          I don't remember the exact commands, and you may want to do different
          document.referer checks e.g. only search for a document name or a
          portion of the domain name.

          --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
          > yeah, I tried that, but because the script is printing a form with a
          > onClick="window.open('ect ect')
          > that opens the second script in the popup window, the referer
          doesn't output
          > any results.
          >
          > can I change the above so that it will work? (I'd like to keep the
          button,
          > instead of a html link if possible.)
          >
          > regards
          >
          > Frank Hauptle
          > ----/ / _
          > ---/ / (_)__ __ ____ __
          > --/ /__/ / _ \/ // /\ \/ /
          > -/____/_/_//_/\_,_/ /_/\_\
          > Gshop & Network Payment Solutions.
          >
          > -----Original Message-----
          > From: Doug Wells [mailto:dougawells@y...]
          > Sent: Tuesday, 3 April 2001 2:02 AM
          > To: perl-beginner@y...
          > Subject: Re: [PBML] Script security.
          >
          >
          > You should be able to access the environmental
          > variable HTTP_REFERER in the ENV hash.
          >
          > $ENV{'HTTP_REFERER'}
          >
          > Good luck
          >
          > Doug
          >
          > --- Franki <frankieh@v...> wrote:
          > > Hi all,
          > >
          > > I have a question that is alot more relivent then
          > > most of mine :-)
          > >
          > > I have two scripts, one generates lots of html
          > > forms.. (called man.cgi)
          > > in one of those forms, is a mini form that opens a
          > > popup window via JS and
          > > calls the second script in it.
          > >
          > > what I want to do, is have it so that the second
          > > script cannot be called on
          > > its own, it has to be called by man.cgi in the
          > > method above...
          > >
          > > I got no idea how to get it to do that.
          > >
          > > I thought maybe some way of checking refferer?
          > >
          > >
          > > can anyone make any suestions?
          > >
          > >
          > > kindest regards
          > >
          > >
          > >
          > > Frank Hauptle
          > > ----/ / _
          > > ---/ / (_)__ __ ____ __
          > > --/ /__/ / _ \/ // /\ \/ /
          > > -/____/_/_//_/\_,_/ /_/\_\
          > > Gshop & Network Payment Solutions.
          > >
          > >
          >
          >
          > __________________________________________________
          > Do You Yahoo!?
          > Get email at your own domain with Yahoo! Mail.
          > http://personal.mail.yahoo.com/?.refer=text
          >
          >
          >
          >
          > Your use of Yahoo! Groups is subject to
          http://docs.yahoo.com/info/terms/





          Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        • Mike Payne
          If someone really wanted to bypass it, they could just turn javascript off, especially considering the fact that unless the window was opened by a javascript
          Message 4 of 13 , Apr 2, 2001
          • 0 Attachment
            If someone really wanted to bypass it, they could just turn javascript off,
            especially considering the fact that unless the window was opened by a
            javascript command(which it wouldn't be if they cut/pasted the url), it asks
            for a confirmation to close the window, which you can just deny and then the
            code is useless.

            -Mike


            -----Original Message-----
            From: Damien Carbery [mailto:daymobrew@...]
            Sent: Monday, April 02, 2001 2:20 PM
            To: perl-beginner@yahoogroups.com
            Subject: Re: [PBML] Script security.


            How about some Javascript... something like the following in the code
            for the pop(ed) up window:

            if ( document.referer != "http://www...." )
            self.close(); // Close oneself.

            I don't remember the exact commands, and you may want to do different
            document.referer checks e.g. only search for a document name or a
            portion of the domain name.

            --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
            > yeah, I tried that, but because the script is printing a form with a
            > onClick="window.open('ect ect')
            > that opens the second script in the popup window, the referer
            doesn't output
            > any results.
            >
            > can I change the above so that it will work? (I'd like to keep the
            button,
            > instead of a html link if possible.)
            >
            > regards
            >
            > Frank Hauptle
            > ----/ / _
            > ---/ / (_)__ __ ____ __
            > --/ /__/ / _ \/ // /\ \/ /
            > -/____/_/_//_/\_,_/ /_/\_\
            > Gshop & Network Payment Solutions.
            >
            > -----Original Message-----
            > From: Doug Wells [mailto:dougawells@y...]
            > Sent: Tuesday, 3 April 2001 2:02 AM
            > To: perl-beginner@y...
            > Subject: Re: [PBML] Script security.
            >
            >
            > You should be able to access the environmental
            > variable HTTP_REFERER in the ENV hash.
            >
            > $ENV{'HTTP_REFERER'}
            >
            > Good luck
            >
            > Doug
            >
            > --- Franki <frankieh@v...> wrote:
            > > Hi all,
            > >
            > > I have a question that is alot more relivent then
            > > most of mine :-)
            > >
            > > I have two scripts, one generates lots of html
            > > forms.. (called man.cgi)
            > > in one of those forms, is a mini form that opens a
            > > popup window via JS and
            > > calls the second script in it.
            > >
            > > what I want to do, is have it so that the second
            > > script cannot be called on
            > > its own, it has to be called by man.cgi in the
            > > method above...
            > >
            > > I got no idea how to get it to do that.
            > >
            > > I thought maybe some way of checking refferer?
            > >
            > >
            > > can anyone make any suestions?
            > >
            > >
            > > kindest regards
            > >
            > >
            > >
            > > Frank Hauptle
            > > ----/ / _
            > > ---/ / (_)__ __ ____ __
            > > --/ /__/ / _ \/ // /\ \/ /
            > > -/____/_/_//_/\_,_/ /_/\_\
            > > Gshop & Network Payment Solutions.
            > >
            > >
            >
            >
            > __________________________________________________
            > Do You Yahoo!?
            > Get email at your own domain with Yahoo! Mail.
            > http://personal.mail.yahoo.com/?.refer=text
            >
            >
            >
            >
            > Your use of Yahoo! Groups is subject to
            http://docs.yahoo.com/info/terms/





            Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
          • Franki
            yup, thats exactly why I caned that idea. I want it so that if the user tries to log directly into the child script, it checks to see where the user came from,
            Message 5 of 13 , Apr 2, 2001
            • 0 Attachment
              yup, thats exactly why I caned that idea.

              I want it so that if the user tries to log directly into the child script,
              it checks to see where the user came from, and if not the parent script, it
              exits. the two methods I know would work, would be the http referer, or
              having the parent script write the users IP to file, and then require that
              file in the child script and attempt to match IP's, if no match, then it
              exits...



              Frank Hauptle
              ----/ / _
              ---/ / (_)__ __ ____ __
              --/ /__/ / _ \/ // /\ \/ /
              -/____/_/_//_/\_,_/ /_/\_\
              Gshop & Network Payment Solutions.

              -----Original Message-----
              From: Mike Payne [mailto:theseus@...]
              Sent: Tuesday, 3 April 2001 2:24 AM
              To: perl-beginner@yahoogroups.com
              Subject: RE: [PBML] Script security.


              If someone really wanted to bypass it, they could just turn javascript off,
              especially considering the fact that unless the window was opened by a
              javascript command(which it wouldn't be if they cut/pasted the url), it asks
              for a confirmation to close the window, which you can just deny and then the
              code is useless.

              -Mike


              -----Original Message-----
              From: Damien Carbery [mailto:daymobrew@...]
              Sent: Monday, April 02, 2001 2:20 PM
              To: perl-beginner@yahoogroups.com
              Subject: Re: [PBML] Script security.


              How about some Javascript... something like the following in the code
              for the pop(ed) up window:

              if ( document.referer != "http://www...." )
              self.close(); // Close oneself.

              I don't remember the exact commands, and you may want to do different
              document.referer checks e.g. only search for a document name or a
              portion of the domain name.

              --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
              > yeah, I tried that, but because the script is printing a form with a
              > onClick="window.open('ect ect')
              > that opens the second script in the popup window, the referer
              doesn't output
              > any results.
              >
              > can I change the above so that it will work? (I'd like to keep the
              button,
              > instead of a html link if possible.)
              >
              > regards
              >
              > Frank Hauptle
              > ----/ / _
              > ---/ / (_)__ __ ____ __
              > --/ /__/ / _ \/ // /\ \/ /
              > -/____/_/_//_/\_,_/ /_/\_\
              > Gshop & Network Payment Solutions.
              >
              > -----Original Message-----
              > From: Doug Wells [mailto:dougawells@y...]
              > Sent: Tuesday, 3 April 2001 2:02 AM
              > To: perl-beginner@y...
              > Subject: Re: [PBML] Script security.
              >
              >
              > You should be able to access the environmental
              > variable HTTP_REFERER in the ENV hash.
              >
              > $ENV{'HTTP_REFERER'}
              >
              > Good luck
              >
              > Doug
              >
              > --- Franki <frankieh@v...> wrote:
              > > Hi all,
              > >
              > > I have a question that is alot more relivent then
              > > most of mine :-)
              > >
              > > I have two scripts, one generates lots of html
              > > forms.. (called man.cgi)
              > > in one of those forms, is a mini form that opens a
              > > popup window via JS and
              > > calls the second script in it.
              > >
              > > what I want to do, is have it so that the second
              > > script cannot be called on
              > > its own, it has to be called by man.cgi in the
              > > method above...
              > >
              > > I got no idea how to get it to do that.
              > >
              > > I thought maybe some way of checking refferer?
              > >
              > >
              > > can anyone make any suestions?
              > >
              > >
              > > kindest regards
              > >
              > >
              > >
              > > Frank Hauptle
              > > ----/ / _
              > > ---/ / (_)__ __ ____ __
              > > --/ /__/ / _ \/ // /\ \/ /
              > > -/____/_/_//_/\_,_/ /_/\_\
              > > Gshop & Network Payment Solutions.
              > >
              > >
              >
              >
              > __________________________________________________
              > Do You Yahoo!?
              > Get email at your own domain with Yahoo! Mail.
              > http://personal.mail.yahoo.com/?.refer=text
              >
              >
              >
              >
              > Your use of Yahoo! Groups is subject to
              http://docs.yahoo.com/info/terms/





              Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/







              Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
            • Chanda Adams
              is there a command that will simply add the date to a cgi script that will be emailed? I know it s on the email, but in the form would be handy. Thanks!
              Message 6 of 13 , Apr 2, 2001
              • 0 Attachment
                is there a command that will simply add the date to a cgi script that will
                be emailed? I know it's on the email, but in the form would be handy.

                Thanks!
                Chanda

                --
                Chanda Adams
                adams@...
              • Damien Carbery
                #!/usr/local/bin/perl -w use strict; my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday ) = localtime(); $yday = sprintf( %02d:%02d:%02d %02d-%02d-%4d ,
                Message 7 of 13 , Apr 2, 2001
                • 0 Attachment
                  #!/usr/local/bin/perl -w

                  use strict;

                  my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday ) =
                  localtime();

                  $yday = sprintf( "%02d:%02d:%02d %02d-%02d-%4d", $hour, $min,
                  $sec, $mday, $mon, $year + 1900 );
                  print $yday;

                  __END__
                  I know the call to localtime() could be simplified.
                  I used sprintf() because I read it is more efficient than printf but,
                  of course, I can't find where I read this.

                  Now you have the info, you can print it with your CGI/HTML output as
                  normal.

                  --- In perl-beginner@y..., Chanda Adams <adams@g...> wrote:
                  >
                  > is there a command that will simply add the date to a cgi script
                  that will
                  > be emailed? I know it's on the email, but in the form would be
                  handy.
                  >
                  > Thanks!
                  > Chanda
                  >
                  > --
                  > Chanda Adams
                  > adams@g...
                Your message has been successfully submitted and would be delivered to recipients shortly.