Commit 875aa11d authored by 127.0.0.1's avatar 127.0.0.1 Committed by amnesia
Browse files

typofixen

parent ab6e0c96
[bastardising the links to dodge the stupid blogspam bot]
h t t p ://tails.boum.org/contribute/design/I2P/
...describes a regex:
The page at tails.boum.org/contribute/design/I2P/ describes a regexp:
<blockquote>urls matching ^http://(127.0.0.1)|(localhost):7657(/.*)? will get a direct connection to the local host so the I2P router console can be reached.</blockquote>
According to the FoxyProxy regex documentation (h t t p ://getfoxyproxy.org/patterns.html):
FoxyProxy uses EcmaScript-compatible regexes, so what that regex actually means is:
According to the FoxyProxy regex documentation (h t t p ://getfoxyproxy.org/patterns.html), FoxyProxy uses ECMAScript-compatible regexps, so what that regexp actually means is:
Any URL beginning "http://127[any char]0[any char]0[any char]1" OR any URI containing the string "localhost:7657" anywhere within it, will evade the proxy.
......@@ -35,7 +31,7 @@ Failing to change this means that a URL like the following would match:
3) Added the final $ anchor, without which the final (/.*)? became meaningless.
Failing to change this means that a URL like the following would match:
Failing to change this means that URLs like the following would match:
h t t p ://localhost:76579
......@@ -46,26 +42,27 @@ or
Not a terrible risk, but who can tell what's running on port 76579? So if you want to guarantee anything following the port number is separated by a slash, you need that anchor.
While we're at it, let's look at the other regexes on that page.
While we're at it, let's look at the other regexps on that page.
^https?://[^/]+\.i2p(:[0-9]{1,5})?(/.*)?
Well, the following would match:
h t t p ://malicious.example.com?.i2p
That is, a regular .com site would be sent through the .i2p filter. No idea if that could be exploited, but let's fix that up anyway.
That is, a regular .com site could be sent through the .i2p filter. No idea if that could be exploited, but let's fix that up anyway.
^https?://[-a-zA-Z0-9.]+\.i2p(:[0-9]{1,5})?(/.*)?$
Here, I've made a whitelist for the domain name, instead of a blacklist; and again, I've added the terminating $ anchor so that the (/.*)? is meaningful.
Here, I've made a white-list for the domain name, instead of a blacklist; and again, I've added the terminating $ anchor so that the (/.*)? is meaningful.
Again, the brackets (blah) should probably be non-capturing brackets, like (?:blah) for speed, but this reduces readability and maintainability, so I didn't include it above.
The third regex looks fine to me.
The third regexp looks fine to me.
http://tails.boum.org/todo/FTP_in_Iceweasel/ describes some more regexes. Let's check them, too.
http://tails.boum.org/todo/FTP_in_Iceweasel/ describes some more regexps. Let's check them, too.
ftp://.*
......@@ -81,7 +78,7 @@ These both need an anchor ^ at the beginning, and the ending .* seems pointless,
Finally, there's:
http://[a-zA-Z0-9\.]*\.i2p(/.*)?
That's better than the last .i2p regex, but you don't need to escape a dot if it's in a group; domain names can include dashes, too; you need to deal with alternative port numbers; and you need beginning and ending anchors. So the version listed earlier is probably a better choice:
That's better than the last .i2p regexp, but you don't need to escape a dot if it's in a group; domain names can include dashes, too; you need to deal with alternative port numbers; and you need beginning and ending anchors. So the version listed earlier is probably a better choice:
^https?://[-a-zA-Z0-9.]+\.i2p(:[0-9]{1,5})?(/.*)?$
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment