根据 HTML 表单的来源阻止对 CGI 脚本的访问
我有一个由 MODx 提供支持的网站,该网站以表单为中心。仅限注册会员(由 MODx 处理)访问包含该表格的网页。用户填写一些文本条目,选择要上传的文件,然后点击提交。指定的动作是/cgi-bin下的submit.py CGI脚本,记录提交的信息并保存文件,并且完美执行。
我唯一担心的是任何表单(显然),如果他们为
<form action="http://my-site.com/cgi-bin/submit.py">
<!-- blah blah blah -->
</form>
并且数据将发送到我的 CGI 表单并进行处理(不良行为)。
我的问题是:有没有办法根据发送数据的 HTML 表单来限制脚本的执行?我是否遗漏了一些非常明显的东西?
我在网上搜索并发现了与 CSRF 稍微相关的问题,但是如果除了令牌身份验证之外还有其他方法可以防止未经授权使用 CGI 脚本,我很想听听。
I have a website, powered by MODx, that is centered around a form. Access to the webpage with the form is restricted to registered members (handled by MODx). The user fills out a few text entries, selects a file for upload, then hits submit. The specified action is a submit.py CGI script under /cgi-bin that logs the submitted information and saves the file, and it executes perfectly.
The only concern I have is that any form (apparently), if they specify the right URL for the <form>
action attribute, seems to be able to link their form to my CGI script. Meaning that they can write the following on their own page:
<form action="http://my-site.com/cgi-bin/submit.py">
<!-- blah blah blah -->
</form>
and the data will be sent to my CGI form and processed (undesirable behavior).
My question is this: is there a way to restrict execution of the script based on the HTML form that sent the data? Am I missing something really obvious?
I've searched online and found a slightly related issue of CSRF, but if there's a way apart from token authentication to prevent unauthorized use of the CGI script, I would love to hear it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以制作一个一次性令牌,该令牌必须与您的表单一起发送以确保其有效(这就是您提到的)。
尽管这也可以被抓取并发送。
检查引荐来源网址没有用,因为它很容易被欺骗或不存在(某些代理会过滤它)。
简而言之,如果不使用令牌来缓解这种情况,您就会遇到麻烦。除了网络上的其他人都有这个问题:)
You can make a once use token that must be sent with your form to ensure it is valid (this is what you mentioned).
Though this could be grabbed and sent as well.
Checking the referrer isn't useful because it is easily spoofed, or absent (some proxies filter it).
In short, without using the token to mitigate it, you are in trouble. Except everyone else on the web has this problem :)