Loading ...
Sorry, an error occurred while loading the content.

RE: [PBML] Script security.

Expand Messages
  • Franki
    yeah, I thought about that too, but basically, its to stop an upload script from being accessed from anyone not doing so through the other perl script, because
    Message 1 of 13 , Apr 2, 2001
    • 0 Attachment
      yeah, I thought about that too,

      but basically, its to stop an upload script from being accessed from anyone
      not doing so through the other perl script, because the other perl script
      has password and .htaccess protection and I thought it would be cool if the
      script could itself determine from where it was accessed and if it wasn't
      the other script it shouldn't work.

      I suppose its not hugely important that it do that, because that script is
      also protected by htaccess. but I am of the opinion that if I am paranoid
      all the time, sooner or later it will be justified at least once.

      I considered having the parent script set a cookie after login, and have the
      second script detect that cookie and if its not present, to exit... but
      again, thats not much better then the JS version. and has no functionality
      if the user has cookies disabled.

      so the last answer I came up with, is for the parent script to write the
      users IP address to a file, and then when the child script is run, it tries
      to match the IP address with the user trying to access the child script..

      That is the best answer I could come up with failing a solution to the http
      referer method.

      Frank Hauptle
      ----/ / _
      ---/ / (_)__ __ ____ __
      --/ /__/ / _ \/ // /\ \/ /
      -/____/_/_//_/\_,_/ /_/\_\
      Gshop & Network Payment Solutions.

      -----Original Message-----
      From: Damien Carbery [mailto:daymobrew@...]
      Sent: Tuesday, 3 April 2001 2:20 AM
      To: perl-beginner@yahoogroups.com
      Subject: Re: [PBML] Script security.


      How about some Javascript... something like the following in the code
      for the pop(ed) up window:

      if ( document.referer != "http://www...." )
      self.close(); // Close oneself.

      I don't remember the exact commands, and you may want to do different
      document.referer checks e.g. only search for a document name or a
      portion of the domain name.

      --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
      > yeah, I tried that, but because the script is printing a form with a
      > onClick="window.open('ect ect')
      > that opens the second script in the popup window, the referer
      doesn't output
      > any results.
      >
      > can I change the above so that it will work? (I'd like to keep the
      button,
      > instead of a html link if possible.)
      >
      > regards
      >
      > Frank Hauptle
      > ----/ / _
      > ---/ / (_)__ __ ____ __
      > --/ /__/ / _ \/ // /\ \/ /
      > -/____/_/_//_/\_,_/ /_/\_\
      > Gshop & Network Payment Solutions.
      >
      > -----Original Message-----
      > From: Doug Wells [mailto:dougawells@y...]
      > Sent: Tuesday, 3 April 2001 2:02 AM
      > To: perl-beginner@y...
      > Subject: Re: [PBML] Script security.
      >
      >
      > You should be able to access the environmental
      > variable HTTP_REFERER in the ENV hash.
      >
      > $ENV{'HTTP_REFERER'}
      >
      > Good luck
      >
      > Doug
      >
      > --- Franki <frankieh@v...> wrote:
      > > Hi all,
      > >
      > > I have a question that is alot more relivent then
      > > most of mine :-)
      > >
      > > I have two scripts, one generates lots of html
      > > forms.. (called man.cgi)
      > > in one of those forms, is a mini form that opens a
      > > popup window via JS and
      > > calls the second script in it.
      > >
      > > what I want to do, is have it so that the second
      > > script cannot be called on
      > > its own, it has to be called by man.cgi in the
      > > method above...
      > >
      > > I got no idea how to get it to do that.
      > >
      > > I thought maybe some way of checking refferer?
      > >
      > >
      > > can anyone make any suestions?
      > >
      > >
      > > kindest regards
      > >
      > >
      > >
      > > Frank Hauptle
      > > ----/ / _
      > > ---/ / (_)__ __ ____ __
      > > --/ /__/ / _ \/ // /\ \/ /
      > > -/____/_/_//_/\_,_/ /_/\_\
      > > Gshop & Network Payment Solutions.
      > >
      > >
      >
      >
      > __________________________________________________
      > Do You Yahoo!?
      > Get email at your own domain with Yahoo! Mail.
      > http://personal.mail.yahoo.com/?.refer=text
      >
      >
      >
      >
      > Your use of Yahoo! Groups is subject to
      http://docs.yahoo.com/info/terms/





      Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
    • Mike Payne
      If someone really wanted to bypass it, they could just turn javascript off, especially considering the fact that unless the window was opened by a javascript
      Message 2 of 13 , Apr 2, 2001
      • 0 Attachment
        If someone really wanted to bypass it, they could just turn javascript off,
        especially considering the fact that unless the window was opened by a
        javascript command(which it wouldn't be if they cut/pasted the url), it asks
        for a confirmation to close the window, which you can just deny and then the
        code is useless.

        -Mike


        -----Original Message-----
        From: Damien Carbery [mailto:daymobrew@...]
        Sent: Monday, April 02, 2001 2:20 PM
        To: perl-beginner@yahoogroups.com
        Subject: Re: [PBML] Script security.


        How about some Javascript... something like the following in the code
        for the pop(ed) up window:

        if ( document.referer != "http://www...." )
        self.close(); // Close oneself.

        I don't remember the exact commands, and you may want to do different
        document.referer checks e.g. only search for a document name or a
        portion of the domain name.

        --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
        > yeah, I tried that, but because the script is printing a form with a
        > onClick="window.open('ect ect')
        > that opens the second script in the popup window, the referer
        doesn't output
        > any results.
        >
        > can I change the above so that it will work? (I'd like to keep the
        button,
        > instead of a html link if possible.)
        >
        > regards
        >
        > Frank Hauptle
        > ----/ / _
        > ---/ / (_)__ __ ____ __
        > --/ /__/ / _ \/ // /\ \/ /
        > -/____/_/_//_/\_,_/ /_/\_\
        > Gshop & Network Payment Solutions.
        >
        > -----Original Message-----
        > From: Doug Wells [mailto:dougawells@y...]
        > Sent: Tuesday, 3 April 2001 2:02 AM
        > To: perl-beginner@y...
        > Subject: Re: [PBML] Script security.
        >
        >
        > You should be able to access the environmental
        > variable HTTP_REFERER in the ENV hash.
        >
        > $ENV{'HTTP_REFERER'}
        >
        > Good luck
        >
        > Doug
        >
        > --- Franki <frankieh@v...> wrote:
        > > Hi all,
        > >
        > > I have a question that is alot more relivent then
        > > most of mine :-)
        > >
        > > I have two scripts, one generates lots of html
        > > forms.. (called man.cgi)
        > > in one of those forms, is a mini form that opens a
        > > popup window via JS and
        > > calls the second script in it.
        > >
        > > what I want to do, is have it so that the second
        > > script cannot be called on
        > > its own, it has to be called by man.cgi in the
        > > method above...
        > >
        > > I got no idea how to get it to do that.
        > >
        > > I thought maybe some way of checking refferer?
        > >
        > >
        > > can anyone make any suestions?
        > >
        > >
        > > kindest regards
        > >
        > >
        > >
        > > Frank Hauptle
        > > ----/ / _
        > > ---/ / (_)__ __ ____ __
        > > --/ /__/ / _ \/ // /\ \/ /
        > > -/____/_/_//_/\_,_/ /_/\_\
        > > Gshop & Network Payment Solutions.
        > >
        > >
        >
        >
        > __________________________________________________
        > Do You Yahoo!?
        > Get email at your own domain with Yahoo! Mail.
        > http://personal.mail.yahoo.com/?.refer=text
        >
        >
        >
        >
        > Your use of Yahoo! Groups is subject to
        http://docs.yahoo.com/info/terms/





        Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
      • Franki
        yup, thats exactly why I caned that idea. I want it so that if the user tries to log directly into the child script, it checks to see where the user came from,
        Message 3 of 13 , Apr 2, 2001
        • 0 Attachment
          yup, thats exactly why I caned that idea.

          I want it so that if the user tries to log directly into the child script,
          it checks to see where the user came from, and if not the parent script, it
          exits. the two methods I know would work, would be the http referer, or
          having the parent script write the users IP to file, and then require that
          file in the child script and attempt to match IP's, if no match, then it
          exits...



          Frank Hauptle
          ----/ / _
          ---/ / (_)__ __ ____ __
          --/ /__/ / _ \/ // /\ \/ /
          -/____/_/_//_/\_,_/ /_/\_\
          Gshop & Network Payment Solutions.

          -----Original Message-----
          From: Mike Payne [mailto:theseus@...]
          Sent: Tuesday, 3 April 2001 2:24 AM
          To: perl-beginner@yahoogroups.com
          Subject: RE: [PBML] Script security.


          If someone really wanted to bypass it, they could just turn javascript off,
          especially considering the fact that unless the window was opened by a
          javascript command(which it wouldn't be if they cut/pasted the url), it asks
          for a confirmation to close the window, which you can just deny and then the
          code is useless.

          -Mike


          -----Original Message-----
          From: Damien Carbery [mailto:daymobrew@...]
          Sent: Monday, April 02, 2001 2:20 PM
          To: perl-beginner@yahoogroups.com
          Subject: Re: [PBML] Script security.


          How about some Javascript... something like the following in the code
          for the pop(ed) up window:

          if ( document.referer != "http://www...." )
          self.close(); // Close oneself.

          I don't remember the exact commands, and you may want to do different
          document.referer checks e.g. only search for a document name or a
          portion of the domain name.

          --- In perl-beginner@y..., "Franki" <frankieh@v...> wrote:
          > yeah, I tried that, but because the script is printing a form with a
          > onClick="window.open('ect ect')
          > that opens the second script in the popup window, the referer
          doesn't output
          > any results.
          >
          > can I change the above so that it will work? (I'd like to keep the
          button,
          > instead of a html link if possible.)
          >
          > regards
          >
          > Frank Hauptle
          > ----/ / _
          > ---/ / (_)__ __ ____ __
          > --/ /__/ / _ \/ // /\ \/ /
          > -/____/_/_//_/\_,_/ /_/\_\
          > Gshop & Network Payment Solutions.
          >
          > -----Original Message-----
          > From: Doug Wells [mailto:dougawells@y...]
          > Sent: Tuesday, 3 April 2001 2:02 AM
          > To: perl-beginner@y...
          > Subject: Re: [PBML] Script security.
          >
          >
          > You should be able to access the environmental
          > variable HTTP_REFERER in the ENV hash.
          >
          > $ENV{'HTTP_REFERER'}
          >
          > Good luck
          >
          > Doug
          >
          > --- Franki <frankieh@v...> wrote:
          > > Hi all,
          > >
          > > I have a question that is alot more relivent then
          > > most of mine :-)
          > >
          > > I have two scripts, one generates lots of html
          > > forms.. (called man.cgi)
          > > in one of those forms, is a mini form that opens a
          > > popup window via JS and
          > > calls the second script in it.
          > >
          > > what I want to do, is have it so that the second
          > > script cannot be called on
          > > its own, it has to be called by man.cgi in the
          > > method above...
          > >
          > > I got no idea how to get it to do that.
          > >
          > > I thought maybe some way of checking refferer?
          > >
          > >
          > > can anyone make any suestions?
          > >
          > >
          > > kindest regards
          > >
          > >
          > >
          > > Frank Hauptle
          > > ----/ / _
          > > ---/ / (_)__ __ ____ __
          > > --/ /__/ / _ \/ // /\ \/ /
          > > -/____/_/_//_/\_,_/ /_/\_\
          > > Gshop & Network Payment Solutions.
          > >
          > >
          >
          >
          > __________________________________________________
          > Do You Yahoo!?
          > Get email at your own domain with Yahoo! Mail.
          > http://personal.mail.yahoo.com/?.refer=text
          >
          >
          >
          >
          > Your use of Yahoo! Groups is subject to
          http://docs.yahoo.com/info/terms/





          Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/







          Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        • Chanda Adams
          is there a command that will simply add the date to a cgi script that will be emailed? I know it s on the email, but in the form would be handy. Thanks!
          Message 4 of 13 , Apr 2, 2001
          • 0 Attachment
            is there a command that will simply add the date to a cgi script that will
            be emailed? I know it's on the email, but in the form would be handy.

            Thanks!
            Chanda

            --
            Chanda Adams
            adams@...
          • Damien Carbery
            #!/usr/local/bin/perl -w use strict; my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday ) = localtime(); $yday = sprintf( %02d:%02d:%02d %02d-%02d-%4d ,
            Message 5 of 13 , Apr 2, 2001
            • 0 Attachment
              #!/usr/local/bin/perl -w

              use strict;

              my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday ) =
              localtime();

              $yday = sprintf( "%02d:%02d:%02d %02d-%02d-%4d", $hour, $min,
              $sec, $mday, $mon, $year + 1900 );
              print $yday;

              __END__
              I know the call to localtime() could be simplified.
              I used sprintf() because I read it is more efficient than printf but,
              of course, I can't find where I read this.

              Now you have the info, you can print it with your CGI/HTML output as
              normal.

              --- In perl-beginner@y..., Chanda Adams <adams@g...> wrote:
              >
              > is there a command that will simply add the date to a cgi script
              that will
              > be emailed? I know it's on the email, but in the form would be
              handy.
              >
              > Thanks!
              > Chanda
              >
              > --
              > Chanda Adams
              > adams@g...
            Your message has been successfully submitted and would be delivered to recipients shortly.