On 10/25/06, Marc Antony Vose <[EMAIL PROTECTED]> wrote:
> Hey Chris:
>
> Just wondering about this...what kind of filter would you recommend
> passing over the HTTP_REFERER in order to verify it's (reasonably)
> kosher?
>
> Cheers,
>
> Marc
> http://www.suzerain.com
>

At minimum you'd want to make sure the referrer starts with "http://";
or "https://";, which will cut off local filesystem access. Include
ftp:// if you need to, but who passes ftp urls in the referrer?

If your server can potentially access other systems inside a firewall,
it would be a darn good idea to write some sort of host-based
blacklist, with localhost included. Being comprehensive could be
difficult, maybe just better to disallow LAN access to any server that
runs this kind of code.

Of course, if the value is output into markup, you want to convert it
using htmlentities().

Anyone think of anything else?

-- 
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Reply via email to