query check

[blz3r]

Hello,

Does anyone know of a simple cgi script that is able to check against
the incoming domain request before allowing to execute the script using
nslookup. I wanted to do a simple check that say we only allow certain
domains to use this script for security purposes and I wanted to see if
there was a simple one out there that would accomplish this. If they're
in the authorized domain list then it would allow them to continue to
execute the program, else it would print a denied domain error message.

 

[A. Sinan Unur]

Does anyone know of a simple cgi script that is able to check against
the incoming domain request before allowing to execute the script using
nslookup. I wanted to do a simple check that say we only allow certain
domains to use this script for security purposes and I wanted to see if
there was a simple one out there that would accomplish this. If they're
in the authorized domain list then it would allow them to continue to
execute the program, else it would print a denied domain error message.

Your question has no Perl content. If you had attempted to solve your
problem using Perl, and posted the code you have along with your questions,
it would have been appropriate for this group.

Please read the posting guidelines for this group:

--
A. Sinan Unur <[email protected]>
(remove .invalid and reverse each component for email address)

comp.lang.perl.misc guidelines on the WWW:
http://augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html

 

[Sherm Pendley]

Does anyone know of a simple cgi script that is able to check against
the incoming domain request before allowing to execute the script using
nslookup.

Don't shell out to nslookup for that. Configure your web server to accept
requests only from the allowed ip addresses and/or domains.

So what was your Perl question?

sherm--

 

[blz3r]

I don't have access to the webserver and the only method that I've read
about is calling to nslookup and verifying that the request to use the
perl script is from authorize domain. Currently I don't have a body to
the what the program will do but just wondering if there was a method
to check for this. I guess my perl question is how could I retireve the
user's IP Address and start parsing from that point when they try to
call the cgi program?

 

[Sherm Pendley]

I don't have access to the webserver

What web server? Please quote the message you're replying to, like everyone
else here does.

I guess my perl question is how could I retireve the user's IP Address

my $query = new CGI;
my $remote_host = $query->remote_host();

sherm--

 

[blz3r]

Thanks for the information about this small problem. I actually found a
quick guide online for obtaining a users IP Address in the following
manner:

#!/usr/bin/perl

use warnings;
use strict;

use CGI qw/:standard/;

my $remote_ip = $ENV{'REMOTE_ADDR'};

print header;
print "Your IP is: $remote_ip\n";

Would it be best to try to parse this and check it against domain to
see if its in the same domain or would it be best to get the user's
hostname and call to dig or nslookup to check if its from the same
domain?

I wasn't sure if perl had a way of getting the user's hostname and I
believe all the machines that will be coming in should have some sort
of hostname, so would that be best to use and if so, does anyone know
how it could be done to check whether the person trying to access the
script is from the same domain as the one hosting the script and if
they're not, print error message.

 

[Bart Van der Donck]

Thanks for the information about this small problem. I actually found a
quick guide online for obtaining a users IP Address in the following
manner:

#!/usr/bin/perl

use warnings;
use strict;

use CGI qw/:standard/;

my $remote_ip = $ENV{'REMOTE_ADDR'};

print header;
print "Your IP is: $remote_ip\n";

Would it be best to try to parse this and check it against domain to
see if its in the same domain or would it be best to get the user's
hostname and call to dig or nslookup to check if its from the same
domain?

I wasn't sure if perl had a way of getting the user's hostname and I
believe all the machines that will be coming in should have some sort
of hostname, so would that be best to use and if so, does anyone know
how it could be done to check whether the person trying to access the
script is from the same domain as the one hosting the script and if
they're not, print error message.

It can be a lot simpler. You're talking about Perl and CGI, so probably
you are running the Apache web server.

To get you started, create a file with the following name in your
directory:

.htaccess

and put the following contents in it:

Deny from all
Allow from 111.222.333.444

This way, only connections from IP-address 111.222.333.444 are allowed
to access the files in your directory and its subdirectories.
Restrictions based upon hostname are possible as well.

Full details about mod_access:
http://httpd.apache.org/docs/1.3/mod/mod_access.html

Hope this helps,

 

[Bart Van der Donck]

[...]

Deny from all
Allow from 111.222.333.444

This way, only connections from IP-address 111.222.333.444 are allowed
to access the files in your directory and its subdirectories.

Sorry, I overlooked the specifications of valid IP-addresses. My
example will cause an internal server error, because 111.222.333.444 is
not a valid IP-address. Here is a corrected version:

Deny from all
Allow from 1.2.3.4

 

[blz3r]

I do not have access to the actual webserver, that is why I can not use
..htaccess directives to deny certain ranges, etc. That is why I'm using
perl/cgi to do this.

 

[Anno Siegel]

I do not have access to the actual webserver, that is why I can not use
.htaccess directives to deny certain ranges, etc. That is why I'm using
perl/cgi to do this.

You can upload CGI scripts but no other content?

Anno

 

[blz3r]

Oh thanks for the better "reply" option. Yea I can only upload the cgi
file that could do this check. I can't use .htaccess files or deny or
allow certain hosts. Just wondering what the best way is to do this.

 

[A. Sinan Unur]

[ Top-posting corrected. Please don't do that. ]

....

Oh thanks for the better "reply" option.

Yea I can only upload the cgi file that could do this check.
I can't use .htaccess files or deny or allow certain hosts.

I don't understand what is preventing you from uploading and .htaccess
file. Are you saying the server is configured to ignore .htaccess files?

Sinan

--
--
A. Sinan Unur <[email protected]>
(remove .invalid and reverse each component for email address)

comp.lang.perl.misc guidelines on the WWW:
http://augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html

 

[blz3r]

I'm pretty sure the .htaccess directives are disable on the apache
server.

[ Top-posting corrected. Please don't do that. ]

...

Oh thanks for the better "reply" option.

Yea I can only upload the cgi file that could do this check.
I can't use .htaccess files or deny or allow certain hosts.

I don't understand what is preventing you from uploading and .htaccess
file. Are you saying the server is configured to ignore .htaccess files?

Sinan

--
--
A. Sinan Unur <[email protected]>
(remove .invalid and reverse each component for email address)

comp.lang.perl.misc guidelines on the WWW:
http://augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html

 

[David Squire]

blz3r wrote:

[Top-posting corrected again. Please don't do it. See
http://augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html. People
will eventually lose patience]

[ Top-posting corrected. Please don't do that. ]

Anno Siegel wrote:

[snip]

I don't understand what is preventing you from uploading and .htaccess
file. Are you saying the server is configured to ignore .htaccess files?

I'm pretty sure the .htaccess directives are disable on the apache
server.

This would be a pretty odd way to run a hosting service, but I guess it
is possible. I take it that you have tested uploading a simple .htaccess
file to one of your directories on the server?

Still, it is pretty simple to do this using CGI.pm. Here is an example
fragment:

use strict;
use warnings;

use CGI;
my %AllowedHosts = (
host.one.com => 1,
host.two.com => 1,
1.2.3.4 => 1,
);
my $Query = CGI->new();
my $RemoteHost = $Query->remote_host();
# ...
if ($AllowedHosts{$RemoteHost}) {
# Do what ever is allowed for valid hosts
}

The biggest problem with this approach is that CGI::remote_host()
"returns either the remote host name or IP address. if the former is
unavailable", so you might need a mixture of numerical IPs and host
names in the %AllowedHosts hash.

Given the ambiguity of what CGI::remote_host() returns, you would
probably be better off using $ENV{REMOTE_ADDR}, which is guaranteed to
be numeric, and should be available whether you are using CGI.pm or not.

Of course you could do all sorts of other matching on $RemoteHost, e.g.
RegExs to allow a range of IPs, etc., rather than just using a hash of
allowed hosts as in this example.

Regards,

DS

 

[Tad McClellan]

I do not have access to the actual webserver,

Then how...

That is why I'm using
perl/cgi to do this.

.... do you get CGI programs onto the webserver?

 

[blz3r]

I'm able to upload cgi/perl and run them with chmod them to +x, that's
allowed but the .htaccess directives are not ready by the apache and it
is disable on the server, also its an internal server. So uploading the
cgi has nothing to do with the server not being able to parse the
..htaccess files.

Response to the last post, yea I was thinking of calling to the ENV
REMOTE ADDR and just parsing the subnet. I believe there is only 2
subnets I need to check for. Say for instnace the address is
164.39.12.* and 164.39.13.*, what would be a simple regexp to check for
those subnets to make sure they are allowed. The other thing is I
believe all the machines that would call to it should have valid
hostnames, but again you're right on what the function would return and
possiblity having to take both IPs and hostnames into consideration
when I parse.

 

[A. Sinan Unur]

@j33g2000cwa.googlegroups.com:

[ Please do not top-post. Note that you have been disregarding the
posting guidelines since the first post.
]

Response to the last post, yea I was thinking of calling to the ENV
REMOTE ADDR and just parsing the subnet. I believe there is only 2
subnets I need to check for. Say for instnace the address is
164.39.12.* and 164.39.13.*, what would be a simple regexp to check
for those subnets

Why do you need a regex for that? Have you tried anything at all?

#!/usr/bin/perl

use strict;
use warnings;

my %allowed = qw(
192.39.12 accounting
192.39.13 hr
);

sub is_allowed_subnet {
my ($ip) = @_;
my $net = substr $ip, 0, rindex $ip, '.';
return $net if exists $allowed{$net};
return;
}

while ( <DATA> ) {
print if is_allowed_subnet($_);
}

__DATA__
132.245.12.1
192.39.1.1
192.39.12.23
192.39.13.45
192.39.145.12
wrong
19293.34
..2





--
A. Sinan Unur <[email protected]>
(remove .invalid and reverse each component for email address)

comp.lang.perl.misc guidelines on the WWW:
http://augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html

 

[Steve Swift]

what would be a simple regexp to check for those subnets

Something like 164\.39\.1[23]\. will be OK for your regexp, but I'm too
new to Perl to give you the code.

possiblity having to take both IPs and hostnames into consideration

I've never seen hostnames in the REMOTE_ADDR environment variable, but I
can imagine that your Apache could be configured to do so. Try it, and
see what you get... the style is most unlikely to vary.

 

[David Squire]

what would be a simple regexp to check for those subnets

Something like 164\.39\.1[23]\. will be OK for your regexp, but I'm too
new to Perl to give you the code.

possiblity having to take both IPs and hostnames into consideration

I've never seen hostnames in the REMOTE_ADDR environment variable,

Because they can't be there. That is what $ENV{REMOTE_HOST} is for. On
the other hand, CGI::remote_host() returns a hostname, or an IP address
if the hostname is not available. I think that is what the OP was
referring to.

DS.

 

[Ben Morrow]

This would be a pretty odd way to run a hosting service, but I guess it
is possible.

In my (admittedly limited) experience, it's quite common on cheap
hosting providers.

The biggest problem with this approach is that CGI::remote_host()
"returns either the remote host name or IP address. if the former is
unavailable", so you might need a mixture of numerical IPs and host
names in the %AllowedHosts hash.

Given the ambiguity of what CGI::remote_host() returns, you would
probably be better off using $ENV{REMOTE_ADDR}, which is guaranteed to
be numeric, and should be available whether you are using CGI.pm or not.

Or you could use CGI->remode_addr, although it seems to be undocumented
(I presume this is an oversight in the documentation). The advantage of
using CGI.pm methods (other than it being cleaner) is that if you ever
move to an environment that isn't CGI but that CGI.pm supports (like
FastCGI) everything will carry on working.

Ben