[RESOLVED] Redirect on every request verb, except GET/POST

Bjom

Is this a good idea I wonder, or is there anything lurking, that would make it not advisable to use:

$allowedHttpVerbs = array('GET', 'POST');
if (isset($_SERVER['REQUEST_METHOD'])) {
	if (!in_array($_SERVER['REQUEST_METHOD'],$allowedHttpVerbs)) {
		header(sprintf('Location: %s', 'http://localhost:8080/applications/dataentry/views/scripts/loginfailed.php'));
		exit;
	}
}
echo $_SERVER['REQUEST_METHOD'];
exit;

dagon

i would check for the specific post\get vars that i'm using. your allowing any and all.

Bjom

Any and all vars, yes. It could be a next step to test for that.

This step would disallow forged headers that are either sent w/o a verb or that pass an arbitrary verb...

I'm not sure whether that really is an issue or whether enhances security to do such a redirect. I just came across the exploit me tools for firefox. The "access me" tool sends headers with a fake verb (seccom or some such thing).

So far the main benefit for me is that I can show off 4 out of 5 green results in that tool 😉

Bjom

dagon

a generic bit of code like that seems little point to me, in the real world.Ccheck for vars you do need and that they are in the expected range or are the right type.

Its possible a human or bot visitor sends a post or a get by mistake, so what, you don't want to discourage web traffic needlessly.

Weedpacket

It would seem to make more sense to have the web server do this using, e.g., Apache's <Limit> directive.

Bjom

Sounds like a good idea. I'll investigate - I don't have too much knowledge about setting up server directives yet.

For the time being I think I'll keep the code as an option. I it won't hurt to be able to do this in PHP when it's not possible to change the server directives.

ty guys!

Bjom

bradgrafelman

Also, why wouldn't you allow the HEAD verb as well?

Bjom

Actually I am not 100% sure what I'm doing there...so it might well be that the list is not complete.

Would the HEAD verb be necessary/advisable? So far I've only seen GET/POST on my pages even when they were plain HTML and no form was sent, so I had the impression that GET/POST was sufficient.

Bjom

bradgrafelman

Bjom wrote:
Would the HEAD verb be necessary/advisable?

I don't see why you wouldn't want to allow it. Plus, some search engines' bots/crawlers/etc. use HEAD requests in their crawling process.

Bjom

Ty good point. I need to do some reading on that one day. So I'll allow it if I want the page to get crawled and botted and can prevent this in other cases. Seems neat enough...

bradgrafelman

Well if you're looking to prevent (or otherwise control) crawlers, you'd use a robots.txt file (for the proper/nice crawlers that actually check and abide by this file).

Bjom

Thanks for the linkage. Quite useful indeed. Favorited it. (is that a word?)

The catch still is: "well-behaved" robots will follow the guideline - the others won't. And the ones that won't usually are the ones that you will want to block. I believe the only thing that will stop them is a restrictive login complete with captcha and everything (and that's what I'm trying to get together atm) and what the above code is part of.

Bjom