| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181977 is a reply to message #181973] |
Fri, 28 June 2013 20:37   |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
|
Senior Member |
|
|
Thomas 'PointedEars' Lahn:
> Christoph Michael Becker wrote:
>
>> Thomas 'PointedEars' Lahn wrote:
>>> Christoph Michael Becker wrote:
>>>> Thomas 'PointedEars' Lahn wrote:
>>>> Anyway, it seems the regular expression given in Appendix B of RFC 2396
>>>> *seems* to be more permissive than the actual syntax given in Appendix
>>>> A.
>>> Appendixes are not normative. Assuming relevance, in which way does it
>>> seem more permissive?
>>
>> The following example passes the regular expression in Appendix B of RFC
>> 2396, but it is not allowed according to Appendix A (if I'm not mistaken):
>>
>> http://http://example.com
>
> You are mistaken.
>
> <snipped proof>
Thank you very much for proofing me wrong. :) (I had not though about
the fact that a segment may be empty.)
> [Some day I'll write an automatic grammar resolver. And I should let prove
> other people their unfounded statements instead of going to lengths
> disproving them.]
My apologies for having bothered you. Actually I had thought about
writing a parser to check it myself, but I have only some experience
with Coco/R[1] which only processes LL(1) grammars. Lex/Yacc would have
been more useful in this case.
> These productions were probably not intended. But note that the section is
> titled “*Parsing* a URI Reference with a Regular Expression”, _not_
> “*Validating* a URI Reference”, and that URI References also include things
> like “javascript:window.alert("42");”.
>
>>>> I have not checked RFC 3986 regarding this issue yet.
>>>>
>>>> > But I would never check against the HTTP-Referer [sic!] in the first
>>>> > place. There are much more reliable solutions, like session variables.
>>>> > See also <https://owasp.org/>.
>>>>
>>>> ACK. OTOH I have some concerns regarding cookies (I do not "like" to
>>>> propagate session IDs as a GET parameter) due to the European cookie
>>>> law(s).
>>>
>>> Directive 95/46/EC does not apply here.
>>
>> I was referring to directive 2009/136/EC, which *might* apply.
>
> How?
Article 2 of the directive[2] §5 states:
| Article 5(3) shall be replaced by the following:
|
| ‘3. Member States shall ensure that the storing of information, or
| the gaining of access to information already stored, in the terminal
| equipment of a subscriber or user is only allowed on condition that
| the subscriber or user concerned has given his or her consent, having
| been provided with clear and comprehensive information, in accordance
| with Directive 95/46/EC, inter alia, about the purposes of the
| processing. This shall not prevent any technical storage or access
| for the sole purpose of carrying out the transmission of a
| communication over an electronic communications net work, or as
| strictly necessary in order for the provider of an information
| society service explicitly requested by the sub scriber or user to
| provide the service.’;
I assume that this concerns all kinds of HTTP cookies. In the given
case the cookie is probably not covered by the second sentence.
However, IANAL.
[1] <http://www.ssw.uni-linz.ac.at/coco/>
[2]
< http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:00 36:en:PDF>
--
Christoph M. Becker
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]