>>>>> "Chris" == Chris Schults <[EMAIL PROTECTED]> writes:
Chris> Hey all. On our website we have several forms (send a letter,
Chris> ask a question, etc) that some of our visitors seem to have
Chris> problems with. These forms require the referring page to be
Chris> from a Grist Magazine domain.
Since this is trivially spoofed, and occasionally mis-sent (bad
proxies, bad browsers, deliberate security counter-blocks), your
policy is flawed. Please stop with the nonsense.
Chris> if ($url !~ m{grist}) {
If "grist" is part of a hostname, you haven't permitted for
case-insensitivities of such host names.
But seriously, just turn this off. Referer is *trivially* spoofed, so
you have no real security here anyway, and it'll only hurt the
legitimate but unfortunate customers.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
