stop hotlinking my cgi scripts

Forum Moderators: coopster & phranque

Message Too Old, No Replies

stop hotlinking my cgi scripts

StopSpam

10:25 am on Jun 18, 2003 (gmt 0)

I got this code thinking it should stop other sites from running my scripts

RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mywebsite.com(/)?.*$ [NC]
RewriteRule \.(cgi?pl)$ - [NC,F]

now i have a html form for feedback that sends data to script on my server then sends it tome per email.

now i have uploaded the html form to a different website . i fill-in the form and click submit and it says message send and ireceived the form email as well

so the code aint working right?

it should have givven an error when i clicked send form

onmore thing if i use more then one code in my htaccess file

like above code and anti image hotlink
and few others

should i use the line :RewriteEngine on

only once or for each code?

mat

10:41 am on Jun 18, 2003 (gmt 0)

Sorry, off topic slightly, but be careful with this sort of thing - lots of security software and proxy servers will either blank or change the http referrer string, most notably Norton Internet Security.

Result - these people will not be able to submit forms that you are checking in this way (through the perl script itself, that is).

react

10:50 am on Jun 18, 2003 (gmt 0)

Would it not be better to modify the actual cgi script so it can only be run from your www.domain.com

StopSpam

10:51 am on Jun 18, 2003 (gmt 0)

I thit not know this ...

if some one use proxy he probally wants to abuse my script
if he wants to hidden his privacy then prox ipwould be anough why blanc referer

so ishould use this code i found edited long time ago:

print "Content-type: text/html\n\n";

# LIST THE IPs/DOMAINS YOU WISH TO
# GRANT USAGE OF YOUR SCRIPT:
@valid_referers=("yoursite.com", "11.222.33.11") ;

# SPECIFY AN ERROR MESSAGE:
$error_message = "You have no permission to use this script." ;

# CHECK FOR VALID IPs/DOMAINS
&check_valid;

# THE CHECK_VALID FOLLOWS
sub check_valid {
if (@valid_referers && $ENV{'HTTP_REFERER'}) {
foreach $referer (@valid_referers) {
if ($ENV{'HTTP_REFERER'} =~ /$referer/) {
$ref = 1;
last;
}
}
}
else {
$ref = 1;
}

if ($ref!= 1) {
print "$error_message";
exit;
}
}

#################################
### THE REST OF YOUR PROGRAM
### MAY BE PLACED BELOW HERE
#################################

StopSpam

10:53 am on Jun 18, 2003 (gmt 0)

Would it not be better to modify the actual cgi script so it can only be run from your www.domain.com

Yes you are right ...
but i thought if i do it withcode in htaccess file
then all scripts are protected at once no need toedit eachscript ...

but iwill go for the code iposted above ..
its bit more work and not 100% save as dorks can spoof referer

but its something and it will stop manny dummies

mat

10:57 am on Jun 18, 2003 (gmt 0)

if some one use proxy he probally wants to abuse my script

- I wouldn't assume this for one second.

if he wants to hidden his privacy then prox ipwould be anough why blanc referer

- because that is, certainly with NIS, the default setting - a blank http referrer string. Caveat Emptor.

StopSpam

11:08 am on Jun 18, 2003 (gmt 0)

ok i have again learned something thank you ;-)

tschild

10:35 pm on Jun 18, 2003 (gmt 0)

RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mywebsite.com(/)?.*$ [NC]
RewriteRule \.(cgi?pl)$ - [NC,F]

I suspect that your mod_rewrite solution should work if you replaced the '?' with a '¦' in the last regex:

RewriteRule \.(cgi?pl)$ - [NC,F]

(note: for some reason the forum software replaces the pipe character (uninterrupted vertical line) with the "interrupted vertical line" character.)

tschild

10:37 pm on Jun 18, 2003 (gmt 0)

Drat. Input pipe character, got question mark character in the published posting. I assume the original posting had a pipe character in the last line of the code then, and the code only got mangled by the forum software.