Page MenuHomePhabricator

Allow for interwiki redirects from pl.wikimedia.org
Closed, DeclinedPublic

Description

Please allow for redirects from pl.wikimedia.org to happen via interwiki links.

The interwiki prefix wmplsite: has recently been added.

If I'm reading the docs right, to make this work we also need $wgDisableHardRedirects to be set to false.

Example redirect page:
https://pl.wikimedia.org/wiki/Kontakt

Rationale:

pl.wikimedia.org was used as the outward-facing site for Wikimedia Poland. This function has now been moved to wikimedia.pl. The wiki will continue to serve as a resource for members and a storage mechanism for public information about the chapter. Due to this split of functions to two distinct sites, we need to seamlessly redirect certain pages from pl.wikimedia.org to wikimedia.pl

Thanks in advance.

Event Timeline

Hey, I'm afraid this is not as easy as it sounds.

Intro

Each interwiki prefix can be either local (reserved for wikis of the same wiki farm, which wikimedia.pl is not) or external (all non-local interwiki prefixes are external), and redirects are performed by MW code only for internal prefixes. That's to lower the number of holes that could make us to serve as an open redirect. Imagine the following:

  1. wikimedia.pl has a bug that makes [[:wmplsite:something/http://attacker.com]] lead you to attacker.com
  2. an attacker discovers that, and crafts an URL like https://en.wikipedia.org/wiki/Special:Search/wmplsite:something/http://attacker.com, which would redirect you to attacker.com
  3. an attacker uses that URL to trick people to click at a "trustworthy" link on Wikipedia

This issue could be also used to bypass spamfilters (especially if w.wiki shortened). See also https://nakedsecurity.sophos.com/2020/05/15/how-scammers-abuse-google-searchs-open-redirect-feature/, which explains the same issue with Google.

Solution A: Not use a redirect at all

This is actually how WMF solved this when they migrated from the wiki, see https://foundation.wikimedia.org/wiki/Mission and others. In my opinion, it is the easiest solution, as it doesn't have any other implications. It involves one more click for the users, but on the other hand, that shows them they're in control of their own browser.

Solution B: Implement redirects somewhere

The other approach would be to make WMF's servers (not necessarily MediaWiki) to make the redirect. HOWEVER, that has some important implications:

  • as I demonstracted in intro, that would mean any open redirect in wikimedia.pl would be exploitable via Wikimedia servers
  • an user that clicks pl.wikimedia.org consents to release their PII (IP/UA) to WMF. However, that doesn't mean they consent with passing the same data to WMPL and/or their vendors, which maintains wikimedia.pl.

The second issue is more serious, and is generally treated as pretty important by Wikimedia, see centralnotice guidelines, which prohibits any external link from a CentralNotice, exactly because that looks like a part of interface, and users think they're only browsing Wikipedia/other Wikimedia sites.

I'm afraid that implementing the redirect would require an approval from WMF legal first. If that's approved, we can go in several main directions:

  • code MediaWiki to make the redirect for external links in some wikis
  • make wmplsite a sui generis "local" link somehow
  • serve the redirect from the caching layer, rather from application servers

TLDR

Making redirects to somewhere else from a WMF-hosted wiki is problematic, mainly due to the amount of info that would get released to WMPL, possibly without user's consent. Hence, it would require approval from WMF legal (which is going to take weeks to months).

End

I hope those information make sense to you, @TOR. Let me know if you have any questions.

I am concerned about this proposal because it means redirecting users from a trusted domain (wikimedia.org) to elsewhere without any warning (e.g. "You're leaving this website and going to this other"). That also means sending user private information to one website to another without any warning, sites that might have different or differing privacy policies, etc. As with @Urbanecm, this looks a bit problematic and would probably require WMF-Legal sign-off.

@TOR We'd appreciate your reply. Otherwise, we need to close this as not actionable.

Evrifaessa added a subscriber: Evrifaessa.

This task hasn't received an answer in nearly 2 weeks. As per @Urbanecm, I'm closing this as not actionable.