[clue-tech] HTTP method specifications

Fri Nov 25 15:15:27 MST 2005

Jed S. Baer wrote:

>On Fri, 25 Nov 2005 14:22:31 -0700
>Matt Gushee wrote:
>
>  
>
>>Jed S. Baer wrote:
>>
>>    
>>
>>>So, I'm looking for a good description of how the HTTP post
>>>specification works. Something other than the W3C RFC.
>>>      
>>>
>>? Last I heard there was no such thing as a W3C RFC. Do you mean the
>>IETF RFC (which I suppose might be mirrored at w3c.org) or some other
>>W3C doc?
>>
>>But I guess it isn't all that important which specific docs you *don't*
>>want. But when you say "how the ... specification works," do you really
>>mean a more in-depth discussion of the specification itself, or are you
>>talking about implementations? In which case the answers are probably
>>buried somewhere in the vastness of Apache and/or PHP docs.
>>
>>In any case, I wonder if a better understanding of POST per se is really
>>what you need. It seems like your real problem is a higher-level (dare I
>>say semantic?) one. POST is just a way for the server to receive an
>>"entity" (AKA document) containing various parameters, and it seems to
>>me the issue is how to detect badly-behaving users based on the values
>>of those parameters.
>>    
>>
>
>Well ... wonderful wording on my part. My hypothesis at this point is that
>some twit(s) is simply sending up a mime-encapsulated SMTP envelope as
>POST data. So I need two things. 1) how to get access to the raw POST
>data, and 2) sufficient info on how POST data is (supposed to be)
>implemented to be able to take it apart. Might be that it's simple enough
>that I can just look at it and see what's there. Might be that I'm
>approaching it from the wrong end too. The PHP $_POST array isn't useful
>for this, as it's contents are post- processing by PHP.
>  
>
What kind of script do you have that's handling the submission?  Does it 
know how to handle mime-encapsulated data?  More likely, whoever is 
doing it is just submitting the post variables as definied in your HTML 
page.  If you want to stop them, check the HTTP Referer in your script.  
I bet they don't set it.  Anything that is Refer'd to your script from 
something other than the submission page (or HTTP HOST) should be 
rejected.  Just grab $_SERVER[HTTP_REFERER].  That's what I did when I 
had this problem... unfortunately it was at a different company and I 
don't have any of the info on it anymore.

While you're at it, it might help to implement some logging.  Here is 
what I log:

$clientip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$timestamp = time();
$date = date("h:i A l F dS, Y",$timestamp);
$servername = $_SERVER['SERVER_NAME'];

Angelo

_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech