Page MenuHomePhabricator
Create Task
Maniphest T108604

UrlShortener extension accepts arbitrary port numbers and credentials
Closed, ResolvedPublic
Actions

Description

e.g., "https://en.wikipedia.org:22" and "https://user:password@graphite.wikimedia.org" both work (the URL is shortened and the target URL preserves the port number and authentication credentials).

Since URI schemes are normalized to https / http, restricting port to ports 80 and 443 seems like a good idea. Auth credentials should be stripped or rejected as invalid input.

Details

SubjectRepoBranchLines +/-
Don't allow shortening URLs with a username or passwordmediawiki/extensions/UrlShortenermaster+15 -3
Disallow URLs that contain ports that aren't 80 or 443 by defaultmediawiki/extensions/UrlShortenermaster+51 -13
Customize query in gerrit

Related Objects
Search...

Event Timeline

ori created this task.Aug 10 2015, 5:54 PM
ori raised the priority of this task from to Medium.
ori updated the task description. (Show Details)
ori added a project: MediaWiki-extensions-UrlShortener.
ori added a subscriber: Legoktm.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 10 2015, 5:54 PM
ori renamed this task from UrlShortener extension accepts arbitrary port numbers to UrlShortener extension accepts arbitrary port numbers and credentials.Aug 10 2015, 5:58 PM
ori updated the task description. (Show Details)
ori set Security to None.
Legoktm added a comment.Aug 10 2015, 6:55 PM

Is there a valid reason to include port 80/443 in URLs? We still need to support port numbers that may be in $wgServer (like in mw-vagrant for example), so might be easiest to implement this in the regex...

Auth credentials should be easy to reject since both wfParseUrl() and mw.Uri expose those.

ori subscribed.Aug 10 2015, 6:57 PM
In T108604#1524977, @Legoktm wrote:

Is there a valid reason to include port 80/443 in URLs?

No. Stripping port numbers outright (or rejecting URLs which contain them) would be fine, I think.

gerritbot subscribed.Aug 12 2015, 10:10 AM

Change 230988 had a related patch set uploaded (by Legoktm):
Disallow URLs that contain ports that aren't 80 or 443 by default

https://gerrit.wikimedia.org/r/230988

gerritbot added a project: Patch-For-Review.Aug 12 2015, 10:10 AM
gerritbot added a comment.Aug 13 2015, 5:46 AM

Change 230988 merged by jenkins-bot:
Disallow URLs that contain ports that aren't 80 or 443 by default

https://gerrit.wikimedia.org/r/230988

ori mentioned this in rEUSH7b5b2198b04d: Disallow URLs that contain ports that aren't 80 or 443 by default.Aug 13 2015, 5:46 AM
Legoktm mentioned this in rMEXT678243568c50: Updated mediawiki/extensions Project: mediawiki/extensions/UrlShortener….Aug 13 2015, 5:46 AM
ori closed this task as Resolved.Aug 13 2015, 5:19 PM
ori claimed this task.
Legoktm reopened this task as Open.Aug 13 2015, 5:33 PM

We didn't fix username/password yet, just arbitrary ports.

MZMcBride subscribed.Aug 14 2015, 4:29 AM
gerritbot added a comment.Aug 15 2015, 4:56 AM

Change 231744 had a related patch set uploaded (by Legoktm):
Don't allow shortening URLs with a username or password

https://gerrit.wikimedia.org/r/231744

gerritbot added a comment.Aug 16 2015, 9:58 PM

Change 231744 merged by jenkins-bot:
Don't allow shortening URLs with a username or password

https://gerrit.wikimedia.org/r/231744

ori mentioned this in rEUSH273f991be62e: Don't allow shortening URLs with a username or password.Aug 16 2015, 9:59 PM
Legoktm mentioned this in rMEXT648893709818: Updated mediawiki/extensions Project: mediawiki/extensions/UrlShortener….Aug 16 2015, 9:59 PM
Legoktm closed this task as Resolved.Aug 16 2015, 10:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL