Page MenuHomePhabricator

[cache:...] considered harmful
Closed, DeclinedPublic

Description

Author: sam

Description:
The [cache:...] construct is used as a shortcut to Google's cache. This can be
useful, but
since the link is not displayed as an external link, the user can be mislead
into clicking
harmful links if he/she does not check the URL in the browser's status bar.

Even worse, [cache:...] can be combined with #REDIRECT and lead the user to
virtually any
page, with the URL appearing totally harmless. The attached URL illustrates
this. Also,
putting things like #REDIRECT [cache:doom3.zoy.org] in a page can also be used
to abuse
Javascript and crash browsers. It can probably be used for phishing.

Proposed fix: remove 'Cache' from maintenance/interwiki.sql .


Version: 1.3.x
Severity: critical
URL: http://fr.wikipedia.org/User:Sam Hocevar/goatse

Details

Reference
bz1128
ReferenceSource BranchDest BranchAuthorTitle
repos/data-engineering/airflow-dags!119platform_eng_artifactsmainottoDeclare platform_eng specilfic hdfs artifact cache directory
repos/data-engineering/airflow-dags!118platform_eng_artifactsmainottoDeclare platform_eng specilfic hdfs artifact cache directory
repos/security/semgrep-merge-tool!3scotts-prod-deploy-testing-fixes-T312807mainsbassettFix a handful of minor bugs within the Semgrep Merge Tool
Customize query in GitLab

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 8:00 PM
bzimport set Reference to bz1128.
bzimport added a subscriber: Unknown Object (MLST).

Nothing wrong with it as in interwiki; the problem is that interwiki redirects aren't currently handled appropriately. They're not
restricted to local wikis, and have other problems.

Changing all WONTFIX high priority bugs to lowest priority (no mail should be generated since I turned it off for this.)