[thelist] http_referer [perl]
Oliver Lineham
oliver at lineham.co.nz
Wed Sep 6 19:20:21 CDT 2000
At 14:20 6/09/00 +0100, you wrote:
>now this works like a beauty in NN but for no apparent reason
>in IE4 it just kicks you out..
>I tried printing the http_referer in IE so that i could see what was wrong
>and to my surprise the HTTP_REFERER was EMPTY!!!!! :o
>Now I am completely amazed at the wonders of perl :)
>
>Does anyone know why this is happening?
just a guess, but are you using a normal link to get to the
script? perhaps IE doesn't pass the HTTP_REFERER along if it's javascript,
or something.
but my REAL reason for replying to your message is to point out a security
issue with your approach:
CGI Security Rule #1: Never trust ANYTHING sent by the client.
it is a very simple matter to trick IE (or any other browser) into sending
a bogus HTTP_REFERER (should i say how, or is that asking for trouble..?).
all it would take is for me to start guessing at what referers are in your
valid list, and i could compromise the script.
</ol>
____________________________________________________
v i b e m e d i a http://www.vibe.co.nz/
po box 10-492 wellington, new zealand
phone +64 21 210-7845 oliver at lineham.co.nz
More information about the thelist
mailing list