On Thu, Sep 10, 2020 at 7:59 AM Ken Fallon <k...@fallon.ie> wrote: > I applied a rewrite rule as shown here > > https://blog.paranoidpenguin.net/2018/12/how-to-remove-facebooks-fbclid-parameter-using-mod_rewrite-on-apache-2-4/ > > So now facebook links will work. > > The biggest issues I see using rewrite rules are their brittleness and maintainability. If we decide that Facebook is going to be the only site on the acceptable list and rewrite their parameters out, then this is fine. Maybe adding one or two others if they seem to be a big source of legitimate traffic, won't be a problem, but if any of them changes their parameter name, then the rewrite breaks, and needs to be updated. The bigger the list the more maintenance.
> >> Wouldn't accepting parameters from others pose a security problem? I > >> tend to think it expands the attack surface. > As Ken points out, we already sanitize the parameters, and treat any extra as an attack. I assume the above rewrite rule occurs before the php sanitization code, which now allows it to pass. Would a more generic solution be to modify the sanitize function to just drop invalid parameters, log as potential attack, and then do a redirect from php with just the valid parameters, or just show the page using the validated parameters?
_______________________________________________ Hpr mailing list Hpr@hackerpublicradio.org http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
