httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eibner <tho...@stderr.net>
Subject Re: stupid question?
Date Tue, 24 Sep 2002 16:08:09 GMT
On Tue, Sep 24, 2002 at 03:49:40PM +0200, G√ľnter Knauf wrote:
> Hi Thomas,
> >> are the server-side vars generated by the server or only echoed vars
> >> which where provided by the browser??
> >> specially REQUEST_URI is of interest for me for security purposes in
> >> scripts, so is it generated from Apache self or can it be faked by the
> >> client?
> 
> > In 1.3 it looks like it's set from the original request, but to be able
> > to fake it they can't call your script (right?)
> f.e. I have a perl mailscript which should only accept formdata from a form which was
served by my host, so I want to check in the script if REQUEST_URI is from my own host or
probably comes from a locally stored and modified form...
> so any other ideas what I can check to be 100% sure that the form was served by my server?

Probably not the right list for this, but you can't really be 100% sure
that the form is being submitted from your server. But what you are
looking for is really the referer. (still not 100% sure though)

-- 
  Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
  mod_pointer <http://stderr.net/mod_pointer> <http://photos.eibner.dk/>
  !(C)<http://copywrong.dk/>                  <http://apachegallery.dk/>
          Putting the HEST in .COM <http://www.hestdesign.com/>

Mime
View raw message