Page MenuHomePhabricator
Create Task
Maniphest T16154

Whitelisted URLs can appear outside the top domain name
Closed, ResolvedPublic
Actions

Description

Author: madrat

Description:
With ConfirmEdit you can whitelist URLs that you don't want to require a CAPTCHA using the MediaWiki:captcha-addurl-whitelist page. However you can't just whitelist a specific domain without a spammer being able to exploit it by adding the domain somewhere else in the URL.

For example: if you add wikimedia\.org to whitelist the wikimedia.org domain,
http://examplewikimedia.org/
http://wikimedia.org.example.com/
http://example.com/?http://wikimedia.org/
will all be able to bypass the CAPTCHA.

Version: unspecified
Severity: normal

Details

Reference
bz14154

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:11 PM
bzimport added a project: ConfirmEdit (CAPTCHA extension).
bzimport set Reference to bz14154.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.May 16 2008, 6:27 PM
Nakon added a comment.May 16 2008, 6:41 PM

You can add a boundary by using \bdomain\.com\b .

brion added a comment.May 16 2008, 7:15 PM

The generated regex wasn't properly anchored, so would match later in the URL than it should.

Fixed in r34932; also made it match both http and https.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL