Page MenuHomePhabricator

Interwiki may circumvent blacklist
Open, MediumPublic

Description

The interwiki feature[1] van be used to circumvent the spam blacklist, e.g., [[cache:example.org]] can circumvent the blacklisting of example.org.

[1] http://www.mediawiki.org/wiki/Interwiki_map


Version: unspecified
Severity: normal

Details

Reference
bz28839

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:35 PM
bzimport added a project: SpamBlacklist.
bzimport set Reference to bz28839.
bzimport added a subscriber: Unknown Object (MLST).

Then maybe we shouldn't have interwikis that could point to blacklisted sites...

The proposal is to check if interwiki links like cache: can be abused in this way and remove them or fix them.

During triage, someone suggested that this would make a good Hack-a-thon candidate.

I don't really see how this is a issue, because you are not really pointing to "example.org" you are pointing to the google cache of said page.

If certain sites should be interwikis (cache: being a default one) is a entirely differnt convo.

I'm fairly sure this behavior, whether intentional or not, is used in some hacks. More information available here: http://en.wikipedia.org/wiki/User_talk:MZMcBride/Archive_18#Your_template_wizardy_required.

(In reply to comment #3)

I don't really see how this is a issue, because you are not really pointing to
"example.org" you are pointing to the google cache of said page.

The use of the blacklist actually is not just to block a special url, but to block its content, i.e., block link spamming.

If example.org is blocked by the sbl, then any explicite link to the google-cache is blocked, too. The reason for that is that the url of the cached site contains the original (blocked) url. This blocking is intentional and it's good.
But by using [[cache:example.org]], one is able to circumvent this mechanism.

That could result in a big problem, if any link spammer get's aware of that fact, because such links a difficult to find. I guess, they can't be found via special:linksearch.
I already started at w:de to log all additions of "[[cache:" using the abuse filter extension. I guess, I'll do the same at w:en. But that doesn't solve the problem, of course.

This is pretty much unique to any interwiki that links to a cached version of websites. Which...I can't find any other examples of in the interwiki tables ;-)

Interwikis are really designed for linking to *other wikis*, and usages of them to link to other things leads to bugs (see bug 15274, for example). What if we wanted to link to [[meta:Spam reports/example.com]]? By subjecting interwikis to the SBL, you're potentially blacklisting legitimate links as well.

Interwikis should not be harmed by the sbl. But interwikis should noch contain "cache" any longer.

Note it is possible to create a DOI that redirects to arbitrary URL.