> Dan Muey wrote:
> > Howdy,
> >
> > I realize that $ENV{'REMOTE_HOST'} and $ENV{'REMOTE_ADDR'}
> are handled
> > differently and can be spoofed so don't worry I'm not basing any
> > security on them.
>
> I'm no security expert, but how can these be spoofed? They
> don't come from the request headers, but are derived from the
> TCP connection itself.
Well I'm not sure, I always thought what you said was true, but you always hear folks
saying that so I was trying to avoid the pummeling I felt would be inevitable.
>
> Furthermore, how useful are these anyway? For example, I'm
> currently sitting behind a NAT proxy along with 300 or so
> other folks, so you'll see the same REMOTE_ADDR for any of us
> who visit your site. Or is that what you mean by "spoof"?
>
True, what I was logging was the ip that certain scripts were called from.
I have some websites that use LWP to call a script on my server.
So basically that means that, unless, something is changed on their server, my server
will always see them as coming from the same ip address. If there are discrepencies
I can look into it if it matters.
As much as like to be able to only allow access from certain IP address I don't do it
because everyone rants on and on about $ENV beinag able to be spoofed so easily.
So correct me if I'm wrong but if I have a script that runs on a server that
I am the only user on and I am the only person allowed to put anythign on it
then $ENV{'REMOTE_ADDR'} may be a fairly reliable way to limit access?? (barring my
hero Kevin Mitnick and friends ;p)
die "You not allowed freako!\n" unless $ENV{'REMOTE_ADDR'} =~ m/^1\.2\.3\.4$/;
die "You gots to be logged in jack!\n" unless $ENV{'REMOTE_USER'} =~ m/^\w+$/;
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
