mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: Peter W <peterw () usa net>
Date: Fri, 15 Jun 2001 16:33:25 -0400
On Thu, Jun 14, 2001 at 09:12:05PM -0400, Chris Lambert wrote:
would it be safe to check
that if a referer is present, it contains the sites' domain name,
but if it
isn't, it most likely wouldn't have been referenced in an <img> tag or
You mean it's safe/legitimate? No. Client-pull META tags generate requests
without Referers, as I've said a couple times in this thread, and in
previous Bugtraq discussions, too. :-)
If you don't see the Referer, you can't trust the request. Your best bet is
to lock out users who won't pass Referers.
Or at least, when you initialize a user session, note if they seem to be
passing Referer values. If they are, then you should certainly reject any
later request that seems to be theirs, but lacks a Referer header.
Note that in some cases, MSIE won't send a Referer if the TARGET of a link
is a different window, or that used to be the case.
This is messy.
Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
Re: The Dangers of Allowing Users to Post Images Dmitry Yu. Bolkhovityanov (Jun 19)
- Re: The Dangers of Allowing Users to Post Images, (continued)