Re: The Dangers of Allowing Users to Post Images

[Peter W <peterw () usa net>]

On Thu, Jun 14, 2001 at 09:12:05PM -0400, Chris Lambert wrote:

> would it be safe to check
> that if a referer is present, it contains the sites' domain name,

Yes.

> but if it
> isn't, it most likely wouldn't have been referenced in an <img> tag or
> submitted via JavaScript?

You mean it's safe/legitimate? No. Client-pull META tags generate requests
without Referers, as I've said a couple times in this thread, and in
previous Bugtraq discussions, too. :-)

If you don't see the Referer, you can't trust the request. Your best bet is 
to lock out users who won't pass Referers.

Or at least, when you initialize a user session, note if they seem to be
passing Referer values. If they are, then you should certainly reject any
later request that seems to be theirs, but lacks a Referer header.

Note that in some cases, MSIE won't send a Referer if the TARGET of a link 
is a different window, or that used to be the case. 

This is messy.

-Peter