Glandos
commented
3 years ago Your server shouldn't have access to the URL anchor. The anchor is the key.
Closed antenore closed 3 years ago
Glandos
commented
3 years ago Your server shouldn't have access to the URL anchor. The anchor is the key.
antenore
commented
3 years ago Thanks for the answer.
When a user open one of the URI, the web server serving the URL will log the request with 200 status code, with the origin IP, the URL that has been requested with the anchor and status obviously.
So a web server administrator could potentially read all the pastes.
Or either I didn't understand 😃
Glandos
commented
3 years ago No, anchors are not sent to the server. You can test it:
curl 'http://httpbin.org/anything?hello#prout' -H 'Host: httpbin.org' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: fr-FR,fr;q=0.7,en;q=0.3' --compressed -H 'Referer: http://httpbin.org/' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1'
{
"args": {
"hello": ""
},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Encoding": "deflate, gzip, br",
"Accept-Language": "fr-FR,fr;q=0.7,en;q=0.3",
"Host": "httpbin.org",
"Referer": "http://httpbin.org/",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
"X-Amzn-Trace-Id": "Root=1-613f718a-39131679146859702bab09aa"
},
"json": null,
"method": "GET",
"origin": "212.99.28.166",
"url": "http://httpbin.org/anything?hello"
}Thanks, I've learned something :-P
In your web server logs, you have all the URL that have been accessed, and therefore all the keys.
This it sounds broken by design to me? Am I missing anything?