Tuesday, August 18, 2009 at 7:34 PM.
newsRiverSuite.wsfMasterControl
on wsfMasterControl (pta) { <<Changes <<1/25/06; 7:43:00 AM by DW <<Where do you want to go today? <<Called from webserver.responders.websiteFramework.methods.any <<We return true if we handled the request, false to let it pass through. local (adrdata = newsRiverSuite.init ()); bundle { //set pta^.flSameMachine pta^.flSameMachine = false; if string.lower (pta^.client) == "localhost" { pta^.flSameMachine = true} else { if pta^.client == "127.0.0.1" { pta^.flSameMachine = true} else { try {pta^.flSameMachine = tcp.equalNames (pta^.client, tcp.myDottedID ())}}}}; <<scratchpad.wsfmasterparams = pta^ try { on getHostFromReferer (referer) { local (urllist, host); try { urllist = string.urlsplit (pta^.requestHeaders.referer)} else { urllist = string.urlsplit (pta^.requestHeaders.referer + "/")}; host = urllist [2]; if host contains ":" { host = string.nthField (host, ":", 1)}; return (host)}; if pta^.flSameMachine { if pta^.method == "POST" { //hole closed, 1/18/02 DW local (refererhost = getHostFromReferer (pta^.requestHeaders.referer)); if refererhost != "127.0.0.1" { if string.lower (refererhost) != "localhost" { scriptError ("Access denied.")}}}; return (false)}; //process the request without security if not adrdata^.newsRiver.security.allowRemoteViewing { scriptError ("Access denied.")}; if pta^.method == "POST" { if not adrdata^.newsRiver.security.allowRemotePost { scriptError ("Access denied.")}}; if adrdata^.newsRiver.security.requireRemoteLogin or (pta^.method == "POST") { local (flsecure = false); if webserver.util.parseAuth (pta) { //get username and password if string.lower (pta^.username) == string.lower (adrdata^.prefs.security.username) { if string (pta^.password) == string (adrdata^.prefs.security.password) { return (false)}}}; //go ahead and handle the request if not flsecure { //send challenge pta^.responseBody = webserver.util.buildErrorPage ("401 Unauthorized", "A valid username and password are required to access this page."); pta^.responseHeaders.["WWW-Authenticate"] = "Basic realm=\"Admin\""; pta^.code = 401; return (true)}; if pta^.method == "POST" { //1/23/02 JES: check non-local referers try { //some users behind proxy servers can't do DNS lookups -- don't do a 500 Server Error local (refererhost = getHostFromReferer (pta^.requestHeaders.referer)); if refererhost != tcp.dns.getMyDottedId () { if not tcp.equalNames (refererhost, tcp.dns.getMyDottedId ()) { scriptError ("Access denied.")}}} else { //check for local NAT IP addresses, as defined by ICANN <<Reference: http://www.riverstonenet.com/technology/nat.shtml local (myIp = tcp.dns.getMyDottedId ()); if myIp beginsWith "10." { //10.x.x.x is ok. (Class A) return (true)}; if myIp beginsWith "172." { //172.31.0.0 to 172.31.255.255 are ok. (Class B) local (x = number (string.nthField (myIp, ".", 2))); if x >= 0 and x <= 31 { return (true)}}; if myIp beginsWith "192.168." { //192.168.x.x is ok. (Class C) return (true)}; scriptError ("Access denied.")}}}} else { pta^.responseBody = webserver.util.buildErrorPage ("403 Forbidden", "Access denied."); pta^.code = 403; return (true)}} //we handled the wsf request
This listing is for code that runs in the OPML Editor environment. I created these listings because I wanted the search engines to index it, so that when I want to look up something in my codebase I don't have to use the much slower search functionality in my object database. Dave Winer.