我应该如何限制对perl-cgi中表单邮件脚本的直接URL访问？ [英] How should I restrict direct url access to a form mail script in perl-cgi?

问题描述

我的项目 在上运行 一个apache服务器  CentOs.My项目是 包含在提交时发送邮件的表单。我在中编写表单邮件脚本 perl cgi.It   发​​送邮件 已提交，但我希望   restrict 直接网址访问 那个邮件脚本。我该怎么办？

解决方案

作为第一道防线，你可以检查HTTP 引用，它是 HTTP请求的HTTP头字段之一：

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Request_fields [ ^ ]，

https ：//en.wikipedia.org/wiki/HTTP_referer [ ^ ]。



所有非废话HTTP服务器的脚本模块都允许您检查这些字段。如果引用者不是您的邮件脚本所期望的，那么您的脚本不应该通过正常处理来处理此HTTP请求，包括发送邮件。



在Perl上，另请参阅： http://www.perlmonks.org/?node_id=747530 [ ^ ]。



请注意，这不是100％可靠的防御，因为HTTP请求可以被欺骗。这就是为什么我把它称为第一道防线。



现在，到目前为止，这不是邮件脚本唯一的安全问题，它可能是相当的网站的危险部分。我发现了非常简单的高效利用（来自现实生活体验），可以将您的Web主机变成僵尸，立即传播垃圾邮件。我在过去的回答中描述了它以及保护：

无法发送邮件，它显示以下代码中的错误。 [ ^ ];

另请参阅：以何种方式

< BLOCKQUOTE>（ '＃myelement'）有效（）;工作 [ ^ ]。



祝你好运。安全。

-SA

Hi,
My project is running on a apache server on CentOs.My project is one-page site that contains a form that send mail when submitted.I write that form mail script in perl cgi.It is able to send mail when submitted but I want to restrict the direct url access to that mail script.How should I do,please?

解决方案

As a first line of defense, you can check up the HTTP referral, which is one of the HTTP header fields of an HTTP request:
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Request_fields[^],
https://en.wikipedia.org/wiki/HTTP_referer[^].

All scripting modules for all non-nonsense HTTP servers allows you to check up this fields. If the referrer is not what's expected for your mail script, you script should not handle this HTTP request with normal processing including sending the mail.

On Perl, see also: http://www.perlmonks.org/?node_id=747530[^].

Note that this is not 100% reliable defense, because the HTTP request can be spoofed. That's why I called it "first line of defense".

Now, this is, by far, not the only security concern of the mail script, which is potentially quite a dangerous part of Web sites. I discovered amazingly simple let efficient exploit (from real-life experience) which could turn your Web host into a zombie spreading spam in no time. I described it, as well as the protection, in my past answer:
unable to send mail , it showing the error in below code .[^];
see also: In what way

('#myelement').valid(); works[^].

Good luck. Be safe.

—SA

这篇关于我应该如何限制对perl-cgi中表单邮件脚本的直接URL访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！