Last modified: 2008-05-16 19:15:46 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 14154 - Whitelisted URLs can appear outside the top domain name
Whitelisted URLs can appear outside the top domain name
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
ConfirmEdit (CAPTCHA extension) (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-16 18:27 UTC by Paul Lange
Modified: 2008-05-16 19:15 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Paul Lange 2008-05-16 18:27:33 UTC
With ConfirmEdit you can whitelist URLs that you don't want to require a CAPTCHA using the MediaWiki:captcha-addurl-whitelist page. However you can't just whitelist a specific domain without a spammer being able to exploit it by adding the domain somewhere else in the URL.

For example: if you add wikimedia\.org to whitelist the wikimedia.org domain,
http://examplewikimedia.org/
http://wikimedia.org.example.com/
http://example.com/?http://wikimedia.org/
will all be able to bypass the CAPTCHA.
Comment 1 Nakon 2008-05-16 18:41:15 UTC
You can add a boundary by using \bdomain\.com\b .
Comment 2 Brion Vibber 2008-05-16 19:15:46 UTC
The generated regex wasn't properly anchored, so would match later in the URL than it should.

Fixed in r34932; also made it match both http and https.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links