Monday, November 08, 2010 at 12:05 AM.

on firewall (pta) {
		<<4/21/02; 11:42:50 PM by JES
			<<Fixed a bug which would errorneously deny access when making a POST via the desktop website as accessed through the domain name instead of through its IP address.
		<<3/7/02; 10:07:38 PM by JES
			<<Follow address values when running callbacks.
		<<2/10/02; 12:36:47 PM by DW
			<<Added support for callbacks.
		<<2/10/02; 12:22:18 PM by DW
			<<Add support for callbacks.
		<<1/23/02; 12:59:03 PM by JES
			<<When checking referers for POST requests, allow requests through if the referer is non-local, and Radio's IP address is a standard NAT IP address. This fixes a problem where people running Radio with NAT and port forwarding could not POST remotely.
		<<1/22/02; 1:22:05 PM by DW
			<<Handle referers without trailing slash (e.g.
		<<1/21/02; 2:24:39 PM by JES
			<<Don't use tcp.equalNames when checking the referer on POSTs, because it failed for some proxy server users.
		<<1/18/02; 11:37:24 AM by DW
			<<Security issue: Closes a hole where a form appears on another site, and the user unknowingly posts to his Radio 8 site. With this fix, the referer on every post must be on the machine that Radio is running on, or a 500 server error is returned. More info, if available, will be posted here.
		<<1/7/02; 11:43:42 PM by JES
			<<If is false, and pta^.path begins with /system/ (case-insensitive), access is denied.
		<<7/26/01; 3:28:15 PM by JES
			<<Changed the logical interpretation of the security prefs. Here's the summary:
				<<If you're on the same machine as Radio, you are always allowed in.
				<<If allowRemoteViewing is false, you are never allowed in.
				<<If this is a POST, and allowRemotePost is false, you're not allowed.
				<<If requireRemoteLogin is true *or* this is a POST, you get an authentication challenge.
				<<If you fail authorization, you're not allowed.
		<<6/9/01; 2:38:09 PM by DW
			<<Created. Make sure the user is allowed to access.
			<<Two ways to return -- either by scriptError'ing, canceling the whole operation; or returning false which allows you to talk to the client for security authorization.
	bundle { //call the callbacks
		local (adr);
		for adr in {
			try {
				while typeOf (adr^) == addressType {
					adr = adr^};
				if adr^ (pta) {
					return (true)}}}};
	on getHostFromReferer (referer) {
		local (urllist, host);
		try {
			urllist = string.urlsplit (pta^.requestHeaders.referer)}
		else {
			urllist = string.urlsplit (pta^.requestHeaders.referer + "/")};
		host = urllist [2];
		if host contains ":" {
			host = string.nthField (host, ":", 1)};
		return (host)};
	if pta^.radioResponder.flSameMachine {
		if pta^.method == "POST" { //hole closed, 1/18/02 DW
			local (refererhost = getHostFromReferer (pta^.requestHeaders.referer));
			if refererhost != "" {
				if string.lower (refererhost) != "localhost" {
					scriptError ("Access denied.")}}};
		return (true)};
	if not {
		scriptError ("Access denied.")};
	if not {
		if string.lower (pta^.path) beginsWith ("/" + string.lower ( + "/") {
			scriptError ("Access denied.")}};
	if pta^.method == "POST" {
		if not {
			scriptError ("Access denied.")}};
	if or pta^.method == "POST" {
		local (flsecure = false);
		if webserver.util.parseAuth (pta) { //get username and password
			if string.lower (pta^.username) == string.lower ( {
				if string (pta^.password) == string ( {
					flsecure = true}}};
		if not flsecure { //send challenge
			pta^.responseBody = webserver.util.buildErrorPage ("401 Unauthorized", "A valid username and password are required to access this page.");
			pta^.responseHeaders.["WWW-Authenticate"] = "Basic realm=\"Admin\"";
			pta^.code = 401;
			return (false)};
		if pta^.method == "POST" { //1/23/02 JES: check non-local referers
			try { //some users behind proxy servers can't do DNS lookups -- don't do a 500 Server Error
				local (refererhost = getHostFromReferer (pta^.requestHeaders.referer));
				if refererhost != tcp.dns.getMyDottedId () {
					if not tcp.equalNames (refererhost, tcp.dns.getMyDottedId ()) {
						scriptError ("Access denied.")}}}
			else { //check for local NAT IP addresses, as defined by ICANN
				local (myIp = tcp.dns.getMyDottedId ());
				if myIp beginsWith "10." { //10.x.x.x is ok. (Class A)
					return (true)};
				if myIp beginsWith "172." { // to are ok. (Class B)
					local (x = number (string.nthField (myIp, ".", 2)));
					if x >= 0 and x <= 31 {
						return (true)}};
				if myIp beginsWith "192.168." { //192.168.x.x is ok. (Class C)
					return (true)};
				scriptError ("Access denied.")}}};
	return (true)}

This listing is for code that runs in the OPML Editor environment. I created these listings because I wanted the search engines to index it, so that when I want to look up something in my codebase I don't have to use the much slower search functionality in my object database. Dave Winer.