根据 HTML 表单的来源阻止对 CGI 脚本的访问

发布于 2024-10-05 03:50:57 字数 605 浏览 0 评论 0原文

我有一个由 MODx 提供支持的网站，该网站以表单为中心。仅限注册会员（由 MODx 处理）访问包含该表格的网页。用户填写一些文本条目，选择要上传的文件，然后点击提交。指定的动作是/cgi-bin下的submit.py CGI脚本，记录提交的信息并保存文件，并且完美执行。

我唯一担心的是任何表单（显然），如果他们为

操作属性指定正确的URL，似乎能够链接他们的表单到我的 CGI 脚本。这意味着他们可以在自己的页面上编写以下内容：

<form action="http://my-site.com/cgi-bin/submit.py">
    <!-- blah blah blah -->
</form>

并且数据将发送到我的 CGI 表单并进行处理（不良行为）。

我的问题是：有没有办法根据发送数据的 HTML 表单来限制脚本的执行？我是否遗漏了一些非常明显的东西？

我在网上搜索并发现了与 CSRF 稍微相关的问题，但是如果除了令牌身份验证之外还有其他方法可以防止未经授权使用 CGI 脚本，我很想听听。

原文

I have a website, powered by MODx, that is centered around a form. Access to the webpage with the form is restricted to registered members (handled by MODx). The user fills out a few text entries, selects a file for upload, then hits submit. The specified action is a submit.py CGI script under /cgi-bin that logs the submitted information and saves the file, and it executes perfectly.

The only concern I have is that any form (apparently), if they specify the right URL for the <form> action attribute, seems to be able to link their form to my CGI script. Meaning that they can write the following on their own page:

<form action="http://my-site.com/cgi-bin/submit.py">
    <!-- blah blah blah -->
</form>

and the data will be sent to my CGI form and processed (undesirable behavior).

My question is this: is there a way to restrict execution of the script based on the HTML form that sent the data? Am I missing something really obvious?

I've searched online and found a slightly related issue of CSRF, but if there's a way apart from token authentication to prevent unauthorized use of the CGI script, I would love to hear it.

分享到QQ

分享到微博