Re: lynx-dev http_referer bug?

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev http_referer bug?

From:	Klaus Weide
Subject:	Re: lynx-dev http_referer bug?
Date:	Wed, 5 May 1999 10:53:49 -0500 (CDT)

On Mon, 3 May 1999, 914 wrote:

> Hiya..  
> 
> i am sorta the admin for a large chat site, http:/bianca.com
> 
> and we have been trying to amke shure our code is accessible as
> possible, to include Lynx.
> 
> BUT..  recently i made some changes, i enforced a check against
> HTTP_REFERER to ensure that all POST operations were coming from
> within the bianca.com domain. (we'd had problems with folk modifying
> our forms for bad purposes)

I hope you are aware that it doesn't really prevent anyone from
pursuing their 'bad purposes', it just makes it a bit harder.

That's in addition to breaking your site for clients that don't
set referer the same way as other clients...

> using Lynx 2.8.1rel2 at the public Lynx gateway of:
> telnet://lynx.bob.bofh.org/
> 
> 
> since my software checks the HTTP_REFERER, i decided to do some
> tests with the publicly available cgi-env checker at:
> http://cache.jp.apan.net/cgi-bin/proxy-checker/showenv.cgi 
> 
> IF i go there directly with Lynx, there is no HTTP_REFERER field
> (normal behaviour)
> 
> IF i hit one of my chats (it works the same in all, tried it)at:
> http://bathroom.bianca.com/cgi-bin/bchat/shack/bathroom/cs
> i can make exactly ONE post (form submit)
> 
> IF i post the link to the cgi-checker, and go to the chat, and
> follow the link, *without* making a form submit on the bianca.com
> page, the HTTP_REFERER env variable is correctly shown as
> http://bathroom.bianca..etc
> 
> IF i go to the room, and make my one post, then on page load, follow
> the link to the cgi-checker, there is no HTTP_REFERER!
> 
> So, it seems that Lynx (at least 2.8.1Rel2) can provide the correct
> http_referer for the first form submit, but it is wiped out
> thereafter..

I didn't follow your testing description in detail, it just seems
that since you are involving an external checker script you may
be changing the very thing you want to observe.

You should let us know where you are in you lynx session
before and after the retrieval action that seems to fail.
The easies way to share that information would be to send
the contents of the INFO ('=') page invoked from both states.

If the retrieval action is from a URL with a query part (URL contains
a '?'), newer versions of Lynx don't send a referer at all, to prevent
sharing of potentially private information.  It has already been
suggested to change the code for that (maybe send only part of the URL),
but AFAIK it hasn't been done.  It's not clear whether this applies
in your case (so send those URLs).

You can also turn TRACE on (^T) on the public gateway, but output
is intermixed with normal screen output.  HOwever it may halp understand
what's going on.  For more serious checkiing you should probably be
running Lynx locally.

   Klaus

[Prev in Thread]

Current Thread

[Next in Thread]

lynx-dev http_referer bug?, 914, 1999/05/03
- Re: lynx-dev http_referer bug?, David Woolley, 1999/05/05
- Re: lynx-dev http_referer bug?, Klaus Weide <=

Prev by Date: lynx-dev [PATCH][dev25] cruft removal
Next by Date: Re: lynx-dev Table support?
Previous by thread: Re: lynx-dev http_referer bug?
Next by thread: lynx-dev LYNX: search order: aaa.org --> www.aaa.org.edu (???)
Index(es):
- Date
- Thread