Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: •Re: anti leech CGI

by hiseldl (Priest)
on Oct 30, 2002 at 15:42 UTC ( #209115=note: print w/replies, xml ) Need Help??


in reply to •Re: anti leech CGI
in thread anti leech CGI

Nice! I would like to see what your comments are about 90% of the other 'anti-leech' scripts out there. None of the scripts that I have seen have any taint checking nor 'use strict.'

    What problem exactly were you trying to solve again?

The problem I want to solve is to stop other sites from using my bandwidth; they can link to my images, or zip files from their site, hence using my bandwidth for downloading files. This is not an 'authorization' issue. I also cannot use an Apache module since I do not have root access because my ISP is rather strict about who gets root access.

These two lines form the 'gatekeeper' aspect of the sub:

my $remote = remote_host(); return(0) unless grep /$remote/, @$hosts;
...reverse DNS lookup, I hadn't thought of that. I think what you're getting at is that I have to 'untaint' $remote.
my $remote = remote_host(); # a domain or an ip can be letters or numbers seperated # with '.' and there must be at least one char followed # by a '.' with at least one char following $remote =~ /([A-Za-z0-9\.]*[A-Za-z0-9]+\.[A-Za-z0-9]+)/; return (0) unless length($remote) > 3; return (0) unless grep /$remote/, @$hosts;
...I haven't tested this yet, but am I on the right track?

--
hiseldl
What time is it? It's Camel Time!

Replies are listed 'Best First'.
•Re: Re: •Re: anti leech CGI
by merlyn (Sage) on Oct 30, 2002 at 15:56 UTC
    A few points:
    • You didn't say you were in an environment where you don't really have a webservice. I'd consider any provider that doesn't let you control access lists to be a very crippled one. Find another. There are hundreds, at all price ranges.
    • I haven't tested this yet, but am I on the right track?
      I've already answered a better solution for the remote match in another node in this thread. The real point is that you don't need a regex, so stop using it!
    • $remote =~ /([A-Za-z0-9\.]*[A-Za-z0-9]+\.[A-Za-z0-9]+)/;
      This is not a good regex to match a hostname. You left out the hyphens, for example. At least you didn't use \w like so many do, incorrectly adding underscore to the mix. You get points for that. {grin}
    • You really don't want to send the file yourself. What you need is to just do an internal redirect to a URL that you keep secret, as in:
      my @GOODLIST = qw(10.0.1.5 10.0.2.1); use CGI qw(:all); use strict; for my $remote_addr (remote_addr()) { if (grep $remote_addr, @GOODLIST) { print redirect ("/secret/URL/here/foo.thingy"); } else { print header ( status => 404 ), start_html( 'error' ), "The resource you tried to access is not found", end_html; } }
      There. That's your whole program. Short and sweet.
    • Of course, you can bypass all this nonsense, and simply give out the secret URL to your friends, and change it from time to time. The URL acts as a password. Be sure you don't link to it anywhere, and the directory that it's in must have indexing turned off, or an index.html to keep people from guessing. I've got a directory like that at http://www.stonehenge.com/pic/ that I use for semi-private publishing, such as when I'm publishing one of my columns for review here.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://209115]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2022-05-20 07:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (73 votes). Check out past polls.

    Notices?