Page MenuHomePhabricator

Using language conversion syntax in external links bypasses proper external link registration
Closed, ResolvedPublic

Description

I just realized that -{}- works in external links, such as [http://www.-{zh-cn:weibo;zh-tw:twitter}-.com Microblogging] and is not a side effect: it has been deliberately used by a converter developer: https://zh.wikipedia.org/w/index.php?title=2008年西藏骚乱&diff=6478425&oldid=6478406 .

However this causes http://www.-{zh-cn:weibo;zh-tw:twitter}-.com to be registered as an external link in parser output, instead of either http://www.weibo.com or http://www.twitter.com , thus the links http://www.weibo.com and http://www.twitter.com seen by final users cannot be detected in code, which can be abused, for example, to bypass the spam blacklist ([http://-{tinyurl}-.com/foobar Foobar] just works: https://zh.wikipedia.org/w/index.php?title=Wikipedia:%E6%B2%99%E7%9B%92&diff=34043017&oldid=34042783&unhide=1 ), and pollutes externallinks table.

I believe such usage will also cause problems in Parsoid; cc'ing cscott. Not sure if this leads to any security issues but it seems unlikely.

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Jan 21 2015, 3:03 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
liangent updated the task description. (Show Details)
liangent changed Security from None to Software security bug.
liangent updated the task description. (Show Details)
liangent edited subscribers, added: liangent, cscott; removed: Aklapper.
dpatrick triaged this task as Low priority.
dpatrick raised the priority of this task from Low to Medium.
dpatrick added a project: Security-Team.

Note: i expect the patch on T119158 will break this behaviour

Note: i expect the patch on T119158 will break this behaviour

I don't have access to that ticket. Can you add me there?

For reference there are ~ 1600 such links (approx)

MariaDB [zhwiki_p]> select count(*) from externallinks where  el_to like '%-\%7B%\%7D-%' limit 4;
+----------+
| count(*) |
+----------+
|     1674 |
+----------+
1 row in set (3.67 sec)
MariaDB [zhwiki_p]> select count(*) from externallinks where el_to like '%-\%7B%\%7D-' limit 3\G
*************************** 1. row ***************************
count(*): 39

Looks like less of a concern now.

Bawolff claimed this task.
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff changed the edit policy from "Custom Policy" to "All Users".