Page MenuHomePhabricator

[SpamBlacklist] Do not include '(?:https?:)?\/\/+[a-z0-9_\-.]*' in whitelist regex
Open, LowPublic

Description

Because by replacing this to empty, "//" in URLs gets stripped, causing any URLs that get processed by the whitelist to fail matching against the blacklist.

Repro: xlx.to is blacklisted in [[m:Spam blacklist]] using \bxlx\.to\b, thus http://foobar.xlx.to/ is expected to be blocked. However on enwiki there's whitelist entry saying \bonion\.com\b, so http://onion.com.xlx.to/ (which is a xlx.to subdomain) can pass the filter on enwiki.


Version: unspecified
Severity: normal

Details

Reference
bz65848

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:11 AM
bzimport added a project: Security-Extensions.
bzimport set Reference to bz65848.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Security (Project)". · View Herald TranscriptNov 22 2014, 3:11 AM
Restricted Application changed the edit policy from "All Users" to "Security (Project)". · View Herald Transcript
Restricted Application changed the visibility from "Security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "Security (Project)" to "Custom Policy". · View Herald Transcript
dpatrick triaged this task as Low priority.
dpatrick added a project: Security-Team.
Krenair added a subscriber: Krenair.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 13 2015, 5:24 PM
Aklapper removed dpatrick as the assignee of this task.Feb 19 2018, 11:21 AM
Aklapper added a subscriber: dpatrick.
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 4 2018, 2:21 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
JBennett changed the visibility from "Public (No Login Required)" to "Custom Policy".
JBennett changed the edit policy from "All Users" to "Custom Policy".
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 4 2018, 2:21 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".