On 2020-09-09 11:15, Cedric De Vroey via Hpr wrote: > Hi all, > > I'm pretty new so I'm not sure if this topic has already been discussed,
http://hackerpublicradio.org/pipermail/hpr_hackerpublicradio.org/2020-August/014778.html > but I have noticed some weird things while trying to link to HPR .. > social media accounts. When I share a link on facebook pointing towards > my correspondent page > http://hackerpublicradio.org/correspondents.php?hostid=387 then the user > still ends up on Droops page (correspondent ID 1) because facebook adds > this > "&fbclid=IwAR3C2yjdET6JY9JSfLdGzlfUprlow6GoYbnkDf8noMUTS30GbLkKgLl13z8" > to the url and the CMS behind HPR seems unable to handle this. The weird thing is that facebook is adding a parameter to someone else's website url. Please ask Facebook not to sent additional query parameters to websites that they do not own. I know of cases where people were prosecuted for adding parameters like that to websites as it was considered a hacking attempt. > > What I guess is happening is that the url mapping scheme behind the > correspondents page can only handle 1 parameter in the url. Once you add > any other parameter to the url next to hostid you see the same behavior. > I also noticed that if hostid is missing but any other parameter is > there on the correspondents page url like > /correspondents.php?whatever=foobar then we get a funky error: > image.png > All the pages on HPR know exactly what is allowed, what format it is. We will accept only the parameters that we require, and nothing else. We treat anyone sending additional parameters as a hostile agent and log it as an attack, the session is deliberately delayed, and they are removed from my holiday card list. > If you need help debugging the code and fixing this let me know. So far there have been 253 attempts and only 1 for gclid Seriously though, if this is something that we need to support I would like to hear from the community on this. I'm not sure how this "feature" would sit with our community https://fbclid.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Hpr mailing list [email protected] http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
