Page MenuHomePhabricator
Create Task
Maniphest T228810

URL inputted in URLShortener should go through Spam blacklist
Open, MediumPublic
Actions

Description

In third-party install without proper configuration, it may be possible to circumvent Spam blacklist via this tool.

Even if in Wikimedia project where external website can not be linked, there's no technical means to prevent users from repeatly creating short URLs from e.g. en.wikipedia.org/wiki/Example's_real_name_is_John_Doe_123123 . This may be first blacklisted in Spam blacklist, and when such URL are inputted, not only creation are blocked, there will be records in spam blacklist log, so Meta sysops or stewards will block them.

I admitted that 1. this can not block such privacy-violating URLs completely, and 2. If hits are logged there will still be issues like T221072: URL shortener link creation should be logged (though this will only happen in extreme cases). Does anyone have better ideas?

Related Objects

Event Timeline

Bugreporter created this task.Jul 23 2019, 9:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 23 2019, 9:22 PM
Aklapper added a comment.Jul 23 2019, 9:31 PM

@Bugreporter: What exactly is a Security issue in this task?

Bugreporter added a comment.Jul 23 2019, 9:49 PM

"it may be possible to circumvent Spam blacklist via this tool", though not on WIkimedia wikis.

Legoktm triaged this task as Medium priority.Aug 1 2019, 7:09 AM
Legoktm removed projects: Privacy, acl*security.
Legoktm subscribed.

+1 to the general idea. Don't think there's a security or privacy issue here though.

In third-party install without proper configuration, it may be possible to circumvent Spam blacklist via this tool.

I'm not really worried about misconfigured wikis. In any case, the extension out of the box will automatically configure itself safely.

I admitted that 1. this can not block such privacy-violating URLs completely, and 2. If hits are logged there will still be issues like T221072 (though this will only happen in extreme cases). Does anyone have better ideas?

I think this is fine. Logging when it matches an abusive pattern isn't a privacy issue, because it's not correlating reader behavior, since the url isn't a page being read - it's abuse.

Bawolff subscribed.Aug 2 2019, 4:42 AM

I think this is fine. Logging when it matches an abusive pattern isn't a privacy issue, because it's not correlating reader behavior, since the url isn't a page being read - it's abuse.

[This is a bit of a convoluted scenario, not sure how much weight we should give it]

Since there is no CSRF token associated with making a short url, we could have the following scenario for a malicious person (Malory) trying to find the IP address of a prominent user (Alice).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits