Solved

Adding "@referers" to my script

Posted on 1997-05-28
21
638 Views
Last Modified: 2008-03-17
I'm using the following script, that I got help creating here, that I would like to add an "@referers" statement to. I know to add the line "@referers = ('www.mydomain.com','myserver.com');". What I need to know is script that will send a message something like "Your site does not have permission to use this script".

Below is how the script is now:

#!/usr/bin/perl

unshift(@INC, "/opt/Web/cgi-bin");
require("cgi-lib.pl");
&ReadParse(*in);

print<<_END_;
Content-type: text/html

<HTML>
<HEAD>
   <TITLE>Exotic Tropicals' Photo Gallery</TITLE>
</HEAD>
<BODY TEXT="#000000" BACKGROUND="../graphics/bluegrad.jpg">

<CENTER>
<FONT COLOR="#FFFFFF" FONT SIZE=+3 FACE="Lucida Sans">Exotic Tropicals' Photo Gallery</FONT><BR>

<FONT COLOR="#000000"><FONT SIZE=+2>$in{'Name'}</FONT><P>

<IMG SRC="../graphics/$in{'File'}" ALT="$in{'Name'}"><P>
<A HREF="../photos.htm" onMouseOver="window.status='Back to Photo Gallery Index';return true"><IMG SRC="../graphics/bak2gal.gif" ALT="Back to Photo Gallery Index" BORDER=0 HEIGHT=25 WIDTH=155></A>
</CENTER>

</BODY>
</HTML>

_END_
0
Comment
Question by:Gary040897
  • 12
  • 9
21 Comments
 
LVL 5

Accepted Solution

by:
icd earned 50 total points
Comment Utility
You need to determine exactly what it is you want to do. You have a number of choices.

You can detect the remote host accessing your site from the environment variable 'REMOTE_HOST'. For example:-

'yourhost.com'

Alternatively you can detect the address of the remote host with the environment variable 'REMOTE_ADDR'. e.g.

'123.45.67.89'

When you say 'referrers' in you question do you mean you want to know which URL has linked to your page? This can be obtained from the environment variable 'HTTP_REFERER' but this does not work for MSIE (it always returns the current page) and will not give anything if the user came to your page from a bookmark.

The REMOTE_ADDR and REMOTE_HOST also suffer from a problem that some people access the internet through a provider that allocates the address automatically when they log on. The next time they log on they may not have the same address since it might have been allocated to someone else.

In general the best way to restrict access to your page is to ensure that everyone logs on with a username and a password. This requires setting up a .htaccess file and ensures that no-one else can access you files without a user name and password.

Give me more details on exactly what you want to achieve and I will help you set it up.
0
 
LVL 5

Expert Comment

by:icd
Comment Utility
If REMOTE_HOST is really what you want then change your script to the following (not tested):-

#!/usr/bin/perl

unshift(@INC, "/opt/Web/cgi-bin");
require("cgi-lib.pl");
&ReadParse(*in);
print "Content-type: text/html\n\n";

@hosts = ('www.mydomain.com','myserver.com');
foreach (@hosts) {
$access = 1 if ($_ eq $ENV{'REMOTE_HOST'};
}

if ($access) {
print<<_END_;
<HTML>
<HEAD>
<TITLE>Exotic Tropicals' Photo Gallery</TITLE>
</HEAD>
<BODY TEXT="#000000" BACKGROUND="../graphics/bluegrad.jpg">

<CENTER>
<FONT COLOR="#FFFFFF" FONT SIZE=+3 FACE="Lucida
Sans">Exotic Tropicals' Photo Gallery</FONT><BR>
<FONT COLOR="#000000"><FONT SIZE=+2>$in{'Name'}</FONT><P>
<IMG SRC="../graphics/$in{'File'}" ALT="$in{'Name'}"><P>
<A HREF="../photos.htm"
onMouseOver="window.status='Back to Photo Gallery
Index';return true"><IMG SRC="../graphics/bak2gal.gif"
ALT="Back to Photo Gallery Index" BORDER=0 HEIGHT=25
WIDTH=155></A>
</CENTER>
</BODY>
</HTML>
_END_
} else {
print<<_END2_;
<HTML>
<HEAD></HEAD>
<BODY>You dont have access to this page</BODY>
</HTML>
_END2_
}

0
 

Author Comment

by:Gary040897
Comment Utility
I don't want to use a password here. What I want to do is prevent anyone else from running my script on their site by just by making an HREF to my script in my cgi-bin. I used "@referers" because this is the syntax used on some of the scripts I have from Matt's Scripts. The line I need to have in my variables for Matt's scripts is:

@referers = ('www.fishhead.com','fishhead.com','connecti.com');

The scripts seem to need all three descriptions in there to make it work. Here's a sections of his script that I think are doing this. I've edited this out of three different sections of the script. I think I got everything. There is also logging going on in Matt's script. I could send you the two scripts I have that are working, but I didn't want to take up anymore of your space than I already have.

# Check Referring URL
&check_url;

sub check_url {

    # Localize the check_referer flag which determines if user is valid.     #
    local($check_referer) = 0;

    # If a referring URL was specified, for each valid referer, make sure    #
    # that a valid referring URL was passed to FormMail.                     #

    if ($ENV{'HTTP_REFERER'}) {
        foreach $referer (@referers) {
            if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
                $check_referer = 1;
                last;
            }
        }
    }
    else {
        $check_referer = 1;
    }

    # If the HTTP_REFERER was invalid, send back an error.                   #
    if ($check_referer != 1) { &error('bad_referer') }
}

sub error {
    # Localize variables and assign subroutine input.                        #
    local($error,@error_fields) = @_;
    local($host,$missing_field,$missing_field_list);

    if ($error eq 'bad_referer') {
        if ($ENV{'HTTP_REFERER'} =~ m|^https?://([\w\.]+)|i) {
            $host = $1;
            print <<"(END ERROR HTML)";
Content-type: text/html

<html>
 <head>
  <title>Bad Referrer - Access Denied</title>
 </head>
 <body bgcolor=#FFFFFF text=#000000>
  <center>
   <table border=0 width=600 bgcolor=#9C9C9C>
    <tr><th><font size=+2>Bad Referrer - Access Denied</font></th></tr>
   </table>
   <table border=0 width=600 bgcolor=#CFCFCF>
    <tr><td>The form attempting to use
     <a href="http://www.worldwidemart.com/scripts/formmail.shtml">FormMail</a>
     resides at <tt>$ENV{'HTTP_REFERER'}</tt>, which is not allowed to access
     this cgi script.<p>

     If you are attempting to configure FormMail to run with this form, you need
     to add the following to \@referers, explained in detail in the README file.<p>

     Add <tt>'$host'</tt> to your <tt><b>\@referers</b></tt> array.<hr size=1>
     <center><font size=-1>
      <a href="http://www.worldwidemart.com/scripts/formmail.shtml">FormMail</a> V1.6 &copy; 1995 - 1997  Matt Wright<br>
      A Free Product of <a href="http://www.worldwidemart.com/scripts/">Matt's Script Archive, Inc.</a>
     </font></center>
    </td></tr>
   </table>
  </center>
 </body>
</html>
(END ERROR HTML)
        }

Thank you,
Gary
0
 
LVL 5

Expert Comment

by:icd
Comment Utility
OK, I see. You want to stop other people on different hosts creating a form or URL that has as its action your cgi-script.

The example I gave in my comment should work. Just change:-
-----
@hosts = ('www.mydomain.com','myserver.com');
foreach (@hosts) {
$access = 1 if ($_ eq $ENV{'REMOTE_HOST'};
}
-----
to:-
-----
@referers = ('www.mydomain.com','myserver.com');
if ($ENV{'HTTP_REFERER'}) {
  foreach $referer (@referers) {
    if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
      $access = 1;
      last;
    }
  }
}
else {
  $access = 1;
}
-----
This will ensure that the form, or the URL that links to your page is only from servers that you allow it to be. If anyone else links to your page it will give the error message.
Be aware however that anyone using MSIE will still be able to follow a link from another site (due to a bug in MSIE with the HTTP_REFERRER variable) and possibly other browsers as well. Netscape users however should be stopped and this should be enough to deter anyone else providing such links to your script.


0
 

Author Comment

by:Gary040897
Comment Utility
On the first part of the script you gave me the lines

if ($access) {
print<<_END_;

Is "print<<_END_;" correct, or should it be "print<<_END2_;".

Thanks,
Gary
0
 
LVL 5

Expert Comment

by:icd
Comment Utility
"print << _END2_;" is correct. There are two print statements, one in the if clause and one in the else. Each one needs it own label to know where to stop printing.
0
 

Author Comment

by:Gary040897
Comment Utility
This didn't work. I got a server error message. Here's how I put together the different messages into the script:

#!/usr/bin/perl
unshift(@INC, "/opt/Web/cgi-bin");
require("cgi-lib.pl");
&ReadParse(*in);
print "Content-type: text/html\n\n";

@referers = ('www.mydomain.com','myserver.com');
if ($ENV{'HTTP_REFERER'}) {
    foreach $referer (@referers) {
    if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
    $access = 1;
    last;
    }
  }
}
else {
$access = 1;
}

if ($access) {
print<<_END2_;
<HTML>
<HEAD>
   <TITLE>Exotic Tropicals' Photo Gallery</TITLE>
</HEAD>
<BODY TEXT="#000000" BACKGROUND="../graphics/bluegrad.jpg">

<CENTER>
<FONT COLOR="#FFFFFF" FONT SIZE=+3 FACE="Lucida Sans">Exotic Tropicals' Photo Gallery</FONT><BR>

<FONT COLOR="#000000"><FONT SIZE=+2>$in{'Name'}</FONT><P>

<IMG SRC="../graphics/$in{'File'}" ALT="$in{'Name'}"><P>
<A HREF="../photos.htm" onMouseOver="window.status='Back to Photo Gallery Index';return true"><IMG SRC="../graphics/bak2gal.gif" ALT="Back to Photo Gallery Index" BORDER=0 HEIGHT=25 WIDTH=155></A>
</CENTER>

</BODY>
</HTML>
_END_
} else {
print<<_END2_;
<HTML>
<HEAD></HEAD>
<BODY>YOUR SITE DOES NOT HAVE PERMISSION TO ACCESS THIS SCRIPT!</BODY>
</HTML>
_END2_
}

Thanks,
Gary
0
 
LVL 5

Expert Comment

by:icd
Comment Utility
I re-read your earlier comment and I think we got at cross purposes. You should have:-

if ($access) {
print<<_END_;

I have also investigated the HTTP_REFERRER environment variable further and there is no problem with MSIE. MSIE has a problem in this area only with Javascript which does not apply to your case.

0
 

Author Comment

by:Gary040897
Comment Utility
I made the change to

if ($access) {
print<<_END_;

but that didn't work either. I still get a srver error message.

Gary
0
 

Author Comment

by:Gary040897
Comment Utility
I ran the script from the command line and got the error message "can't find string terminator "_END2" anywhere before EOF at showimg.pl line" I also tried "print<<_END_;" and got the same type of error message.

Gary
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 5

Expert Comment

by:icd
Comment Utility
Make sure the label is spelt correctly and that the label does not have any characters (white space) before it on the line.
0
 

Author Comment

by:Gary040897
Comment Utility
I have rechecked everything again and again. I didn't find any typos. The script is exactly as post above. I still get the same error message from the command line. Do you have any other suggestions? If not, perhaps you can release the question to mkornell. Maybe another person could see some little thing that we're overlooking. I'm open to suggestions.

Thanks!
Gary
0
 
LVL 5

Expert Comment

by:icd
Comment Utility
The _END_ and _END2_ lines are critical. They must have no white space either before or after. I cut and pasted your script and it works so long as you observe this rule.

0
 

Author Comment

by:Gary040897
Comment Utility
Ok, I cut and pasted the exact same thing that's here on the message board just as you did. I still get the exact same error message "can't find string terminator "_END2_" anywhere before EOF at showimg.pl at line 21. Line 21 is "print<<_END2_;". I have tried "print<<_END_;" with the exact same result. My server is running perl version 5.001 if that makes a difference. I don't think we are getting anywhere here. The bottom line is that it's not working on my server. Unless you have any other suggestions, I need to unlock the question. I really appreciate your time and efforts to date, but the problem still remains.

Gary
0
 
LVL 5

Expert Comment

by:icd
Comment Utility
Cut and paste does not work, it puts in extra white space.
The problem with extra white space is not with the 'print' line but with the terminator.

Also as I said in an earlier comment line 21 should not be

print <<_END2_;

Since this does not seem to be the best media to give ideas and to cut and paste code I have put the script at:-

http://www.silkwood.co.uk/cgi-scripts/test.pl

You can download it from there. It works on my server and should work on your own.

it should be

print <<_END_;



0
 

Author Comment

by:Gary040897
Comment Utility
When I cut and pasted from the message board I did remove all the blank spaces. I realize you can't assume that I did. I then went to the URL you gave me an copied that version and put it on the server. Then it apparently ran fine from the command line, but when I tried to call it from the browser there was a problem. It produced a page with everything except the image from the graphics file and the name from the ALT tag. When you view source of that page you would see:

<FONT COLOR="#000000"><FONT SIZE=+2></FONT><P>

<IMG SRC="../graphics/" ALT=""><P>

When everything is working it should have produced:

<FONT COLOR="#000000"><FONT SIZE=+2>Altolamprologus calvus yellow</FONT><P>

<IMG SRC="../graphics/acalvyl3.jpg" ALT="Altolamprologus calvus yellow"><P>

That is what should be produced when you click on the name of the picture from my page that is produced from the html line:

<A HREF="cgi-bin/showimg.pl?File=acalvyl3.jpg&Name=Altolamprologus+calvus+yellow" onMouseOver="window.status='Photo by Ad Konings, Cichlid Press';return true">Altolamprologus calvus yellow</A><BR>

I downloaded it twice from your URL with the same result. I also cut and pasted everything between <HTML> and </HTML> from another version of the script without the referers in it that works perfectly. I still got the broken link in your version of this script. Any ideas?

BTW, the @referer part works and does pass the access denied html if the variable is not set.

Thanks,
Gary
0
 

Author Comment

by:Gary040897
Comment Utility
Permissions for showimg.pl (this script) is 755.
0
 
LVL 5

Expert Comment

by:icd
Comment Utility
Lines 5 and 6 need the '#' removing. I had those in while I was testing the script on my site and forgot to remove them.

0
 

Author Comment

by:Gary040897
Comment Utility
I should have seen that too. OK everything works great now!  Thank you for your help.

Gary
0
 

Author Comment

by:Gary040897
Comment Utility
Dear ICD,

This script has been working really well with the exception of a small bug. The section where there's a problem is in the Name= section. That part of the script can only deal with the first quotation mark it sees. This is a problem when I want the name of the fish text created by this script to print a part of the fish name with quotation marks on the html page. For example if I had [ Name=Big+"redfin"+fish" ] all that would show up on the created html page would be [ Big ] and not [ Big "redfin" fish ]. The page where I'm using this script is http://www.fishhead.com/photos.htm. I got the idea for this script from another fish site. Their version of the script can deal with the extra " symbols. If you want to see that page, it's at http://www.badgerstate.com/JAWS/fishpic1.htm. Rather than post the entire script here again, I put it on my server. I've made a few changes to it since you last worked with it. You can find it at http://www.fishhead.com/scripts/showimg.txt.

I'm not sure if this was the best way to ask this question. It's a new question as far as the points go, but I wanted this to get to you as you worked on it last.

Thanks,
Gary
0
 

Author Comment

by:Gary040897
Comment Utility
ICD,

I cannot find an answer posted to my last comment. Are you still with Experts Exchange? The question was posted 9-11-97. It's now 9-20-97.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
perl script 4 94
Perl strange behaviour 5 63
Merge files & delete row based on criteria using Perl. 1 93
add a syntax to a csv file 8 91
There are many situations when we need to display the data in sorted order. For example: Student details by name or by rank or by total marks etc. If you are working on data driven based projects then you will use sorting techniques very frequently.…
In the distant past (last year) I hacked together a little toy that would allow a couple of Manager types to query, preview, and extract data from a number of MongoDB instances, to their tool of choice: Excel (http://dilbert.com/strips/comic/2007-08…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now