ODBiC Discussion Board

RE: Foriegn upload form disallowed, Max Steiner, 04-29-2006

Header suppressed by Zone Alarm Pro

by Roger Harris, April 29, 2006 18:31

There is a standard HTTP header named HTTP_REFERER that browsers normally send with requests, which contains the URL of the page where the active link was loaded -- e.g. in this case when an upload is submitted, the URL of your upload form. ODBscript was originally written to check this header to verify that the upload form was actually loaded from your site (to prevent someone from uploading files using an edited version of your form, since the form can specify things like the upload directory and the maximum size).

For some reason, Zone Alarm Pro (and perhaps some other firewalls) thinks that you need to be able to suppress sending this header (and in fact, that may be the default setting). This is really a violation of HTTP standards and serves no reasonable security purpose that I can think of, but that causes the error you're seeing: When that header isn't sent or doesn't contain your site's domain name, ODBscript outputs that error message.

The only way to avoid that error in the current version -- other than requiring users to turn off that setting in Zone Alarm Pro -- is to use an odb_upload.ini file, which can contain various parameters to control uploading (see the Users Guide for more details). One of the parameters is named check_referer, which allows you to turn off the header checking with a line like this:

check_referer = N
(Note that the "referer" misspelling is intentional, to match the misspelling of the HTTP header, which should have been named HTTP_REFERRER, but oh well... ;-)


Post Your Reply:

E-mail  optional

HTTP Link: 
Link text: 


Copyright ©1997-2003, Roger Harris. All rights reserved.