If the injected URL parameters should happen to collide with an accepted
parameter, then there could be unpredictable results. For example, if
HPR accepted the "Friends Being Cool Listeners In December" parameter:
http://hackerpublicradio.org/correspondents.php?hostid=387&fbclid=bobjonkman
but then Facebook appends another fbclid parameter and who knows what
would happen...
It is likely that Facebook's parameter encodes personally identifiable
data. The danger to privacy comes when someone copies the URL from
Facebook on another site that gathers Facebook stats. Now that other
site has information on who originally posted the link, and possibly who
copied it, and from 'referer' data, where it was posted to, and how
often it gets clicked on.
I think HPR's current behaviour (treat invalid parameters as an attack)
is correct, even if a bit drastic. Perhaps a more explanatory error
message would help educate people about this privacy issue, eg. "412
Precondition Failed: The URL submitted contained invalid data, likely
added by commercial social media to track personal information. To
protect privacy, HPR rejects this URL."
--Bob.
On 2020-09-09 6:10 p.m., Cedric De Vroey via Hpr wrote:
Op wo 9 sep. 2020 om 23:55 schreef Kevin O'Brien <zwil...@zwilnik.com>:
Wouldn't accepting parameters from others pose a security problem? I tend
to think it expands the attack surface.
No it doesn't really, as long as you use named parameters, and as long as
you implement proper sanitation on those parameters you should be fine from
a security perspective. However, there are privacy concerns that could be
made over this practice since it could be used to track users.
Regards,
--
Kevin B. O'Brien
z <ahuka5...@gmail.com>wil...@zwilnik.com
http://google.me/+kevinobrien
http://www.google.com/profiles/Ahuka5656
http://about.me/zwilnik
“People shouldn't be afraid of their government. Governments should be
afraid of their people.” - Alan Moore, *V for Vendetta*
*Public Key = F6283E7A <https://pgp.mit.edu/>*
On Wed, Sep 9, 2020 at 12:13 PM Ken Fallon <k...@fallon.ie> wrote:
On 2020-09-09 18:10, Cedric De Vroey via Hpr wrote:
Well, I guess those numbers are not that odd for anything that's
connected to the internet. My site is basically a static one-pager with
no possibilities for user input whatsoever and even that page gets
bombarded constantly (without effect). I mean, that's just how it is on
the internet these days I guess, it can be a rather hostile environment
at times :-)
Actually that's the ones that make it through Joshes bear traps ;-)
--
Regards,
Ken Fallon
http://kenfallon.com
http://hackerpublicradio.org/correspondents.php?hostid=30
_______________________________________________
Hpr mailing list
Hpr@hackerpublicradio.org
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
_______________________________________________
Hpr mailing list
Hpr@hackerpublicradio.org
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
_______________________________________________
Hpr mailing list
Hpr@hackerpublicradio.org
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
--
Bob Jonkman <bjonk...@sobac.com> Phone: +1-519-635-9413
SOBAC Microcomputer Services http://sobac.com/sobac/
Software --- Office & Business Automation --- Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
_______________________________________________
Hpr mailing list
Hpr@hackerpublicradio.org
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org