CSRF in Gemini

[Francesco Gazzetta]

On Mon, 15 Jun 2020 17:05:33 +0200
Felix Queißner <felix at masterq32.de> wrote:

> I think one solution would be to force clients to remove queries from
> all URLs. It's not a really elegant solution and makes CGI stuff
> harder to implement, but will prevent a lot of URL-fuckery.

That coul be a good and clean solution, if we get microbotany, gus, etc
to move the stuff they put in the query to a path fragment. Too bad
this means that it's no longer possible to use cgi for that stuff.

> While writing this, i got the following idea (which seams reasonable
> to me): Specify that a response to INPUT MUST be passed with a
> query-parameter "?input=…" where "…" is the data from the user. The
> data is fully urlencoded with all forbidden characters(space,?,=,…)
> replaced with their percent-encoding.
> 
> Also specify that clients SHOULD remove the "input"-parameter between
> redirects and in documents using the gemini-scheme.

Less clean, but preserves cgi functionality and it's stateless! I like
this

> This allows us to prevent passing accidential or malicious data via
> redirects, but doesn't help against a spam-bot that targets a site
> directly. It also makes client implementation a bit harder.

Eh, the spam problem is a problem on its own anyway, and I probably
should have made a different example in my article.