Kurt Edmiston wrote:
>
> Hi, I want to limit access to one of my scripts. I have a list of web
> pages that are authorized to call my script, and I want to disable the
> script if another unauthorized page calls it. My code to do this looks
> like the following:
>
> my $referer = $ENV{HTTP_REFERER};
> my $legal_referer;
> my(@legal_referers) = ("http://www.some-url.com/page1.html";); #
> list of authorized pages
> my $clear = 0;
>
> foreach $legal_referer (@legal_referers)
> {
> if ($legal_referer eq $referer)
> { $clear = 1; }
> }
>
> if (!$clear)
> { # kill the script }
> ...
>
> I want to know if this is a good (safe) way to do this. I'm open to any
> suggestions. Thanks in advance.
Hi,
A problem is that the client can present any referer it wishes (or
none), so a cracker could, if learning valid referers by trial/error or
whatever, simply use one of those referers when making the query. Very
easy to do in LWP, particularly to work around content shields.
I actually do this, protecting my form CGIs from casual harrasment, but
a determined malfeasant could simply read my form source, generate false
forms with a forged referer, and DoS me. But this is only for my toy
personal site :)
One solution would be to combine a cookie with dynamic link generation,
that would force a browser to cache a cookie, then generate links that
required that cookie plus a separate string in the query to access the
page. Cumbersome, yes, but without an even more cumbersome
certificate-based AAA solution it is probably the most solid bet.
Any solution that relies exclusively on a client being honest can be
cracked trivially. :|
Good luck!
- MAtt
