deadlock Message Board
[ November Full List | Post A Reply ]

Re: James, thy wish is (not) granted.
From Michael on 10 August '01
replying to Re: James, thy wish is (not) granted. posted by Jim

>
>>http://hotelinfoplus.com/toronto-ontari/bestwesternroeh.htm
>
>That's a plain old frames site. It's all the rage to remove the borders
>so you can't actually see the edges, but you're looking at the source
>code for a FRAMES index, all the same:
>
><FRAMESET BORDER="0" FRAMEBORDER="no" cols="100,*">
>

Yeah, but what if the frameset src refers to
"../Bubba.pl?Something" and the Perl script Bubba.pl checks the
URL? If Bubba.pl only displays output when the request is
referentially one layer too deep as in the framed example, yet
shuns requests like http://hotelinfoplus.com/cgi-bin/Bubba.pl,
then you can effectively prevent the user from viewing the
output. Note that you'd also need to code a "right mouse click"
handler in the framed output but that's not difficult. You'd
want to programmatically deny "GET /directpathtoCGI/Bubba.pl"
requests, only allowing the request if it looks like
"../Bubba.pl" and working it so that the frameset file is above
the script in this example.


Note that you could also add to this confusion an ISAPI filter
that will obsfucate the path on various conditions, only allowing
the request if it comes from your own frameset. The ISAPI filter
would fire off on the URL handler before the file is fetched,
changing the physical path behind the scenes.


Michael

[Or as they say, "I could write you one, but then I'd have to
charge you for it..."]




Your Reply

*Your name:
*Message subject:
Home page title:
Home page URL:
Email:
(if you'd like to receive automatic replies by email)