Facebook FBCLID can have "--"

nigelhorne · Nov 10, 2023 · 88797eb · 88797eb
1 parent 2f13b07
commit 88797eb
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/Changes b/Changes
@@ -3,6 +3,7 @@ Revision history for CGI-Info
 0.79
 	Better arg count checking
 	Mark techiaith.cymru as a robot
+	Facebook FBCLID can have "--" which can cause false positives
 
 0.78	Fri Oct  6 13:59:51 EDT 2023
 	Set HTTP status to 403 on HTTP_USER_AGENT SQL injection attack

diff --git a/lib/CGI/Info.pm b/lib/CGI/Info.pm
@@ -744,7 +744,9 @@ sub params {
 
 		if((!defined($ENV{'REQUEST_METHOD'})) || ($ENV{'REQUEST_METHOD'} eq 'GET')) {
 			# From http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
-			if(($value =~ /(\%27)|(\')|(\-\-)|(\%23)|(\#)/ix) ||
+			# Facebook FBCLID can have "--"
+			# if(($value =~ /(\%27)|(\')|(\-\-)|(\%23)|(\#)/ix) ||
+			if(($value =~ /(\%27)|(\')|(\%23)|(\#)/ix) ||
 			   ($value =~ /((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i) ||
 			   ($value =~ /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix) ||
 			   ($value =~ /((\%27)|(\'))union/ix) ||