Whitelisted URLs can appear outside the top domain name
Closed, ResolvedPublic

Description

Author: madrat

Description:
With ConfirmEdit you can whitelist URLs that you don't want to require a CAPTCHA using the MediaWiki:captcha-addurl-whitelist page. However you can't just whitelist a specific domain without a spammer being able to exploit it by adding the domain somewhere else in the URL.

For example: if you add wikimedia\.org to whitelist the wikimedia.org domain,
http://examplewikimedia.org/
http://wikimedia.org.example.com/
http://example.com/?http://wikimedia.org/
will all be able to bypass the CAPTCHA.


Version: unspecified
Severity: normal

bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz14154.
bzimport created this task.Via LegacyMay 16 2008, 6:27 PM
Nakon added a comment.Via ConduitMay 16 2008, 6:41 PM

You can add a boundary by using \bdomain\.com\b .

brion added a comment.Via ConduitMay 16 2008, 7:15 PM

The generated regex wasn't properly anchored, so would match later in the URL than it should.

Fixed in r34932; also made it match both http and https.

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.