On Thu, May 29, 2003 at 12:57:18AM -0400, Dylan William Hardison wrote:
> I'm writing a apache module to process requested .html files with
> the Template Toolkit. In one of the template files, I use
> $r->status(HTTP_FORBIDDEN), when the HTTP referer doesn't match the
> hostname. I could just make the page say "Forbidden. You're a bad
> person!" But I thought it would be nicer (g) to set 403 page
> forbidden thingy.
Ah, I see... that would work fine, I think.
I suppose another way (not that this is better... just an example...)
is to use a PerlAccessHandler subroutine to check the referrer and set
the 403 code and return a custom respose. It would go something like:
in httpd.conf, somewhere:
PerlAccessHandler Module::accesshandler
-- in Module.pmsub accesshandler { my $r = shift; my $template = <<EOF; ..page to display in case of 403... ..i suppose it could come from TT's process()... EOF
if ($r->header_in('Referer') =~ m/goodreferer/) { return OK; } else { $r->custom_response(FORBIDDEN,$template); return FORBIDDEN; } }
..or thereabouts... I believe that one advantage to this is that since at this point in the request phase (the accesshandler part), there is only a minimal %ENV set up, so you'd be saving on some processing time.. but that savings doesn't seem much uness maybe there are some other behind-the-scenes advangates that I don't know about.
And too, it is pretty easy to engineer a request to circumvent referer-based access control. Like with lib-www-perl GET utility, someone could do something like:
GET -H 'Referer: http://anyoldreferersite.com/' http://yoursite.com/
and bingo...
Anyhoo... hope this info was mildly useful :)
> The problem happens when I set the status with $r->status and my > handler returns OK.
> > Apache::Registry has given me a hint, it does the following: > > --- Apache/Registry.pm --- my $old_status = $r->status; > > # ... lots of other stuff. > > return $r->status($old_status); > --- end --- > > So, I'm going to do that, I guess. > > Also, OK != HTTP_OK. OK == 0, and HTTP_OK is, of course, > 200. > > Thanks anyway. :) > > On Thursday, May 29, 2003 at 01:10AM -0400, btt@nethouse.com wrote: > > Hey there, > > > > I've used perl handlers in Apache a couple of times. In those > > couple of times, I've never needed to call $r->status() either to > > set or get the current status code. I would always just return the > > http response code in symbolic form (from Apache::Constants) right > > from the handler subroutine. > > > > I guess there's probably a very specific use for $r->status(), but > > sure beats me what it could be... maybe it is one of those > > 'because you can' functions. :) > > > > Well I hope this answered the question, i was a little unclear on > > what exactly you're trying to do... > > > > Cheers.. > > > > -- > Bad men live that they may eat and drink, whereas good men eat and > drink that they may live. > -- Socrates GPG Fingerprint=D67D 2B75 53C6 9769 30E4 > D390 239F C833 F32C F6F6 GPG KeyID=F32CF6F6
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:24:57 EDT