Last modified: 2006-04-28 23:18:59 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 5185 - Spam blacklist trivially circumvented using HTML comments
Spam blacklist trivially circumvented using HTML comments
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
unspecified
All All
: Normal major with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-06 23:40 UTC by Mark Pellegrini
Modified: 2006-04-28 23:18 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Mark Pellegrini 2006-03-06 23:40:18 UTC
It is trivially easy to circumvent the spam blacklist by using an HTML comment
in the URL. 

Example: 
http://en.wikipedia.org/w/index.php?title=Wikipedia/Stable&diff=42542934&oldid=38860953
(Kapitalism.net is on the spam blacklist).
Comment 1 bdk 2006-03-09 06:33:52 UTC

*** This bug has been marked as a duplicate of 4823 ***
Comment 2 Brion Vibber 2006-03-09 21:16:06 UTC
De-duping this. These extensions don't share code and work differently, 
so have to both be fixed separately.
Comment 3 Rob Church 2006-04-12 05:01:33 UTC
Fixed in trunk, r13601.
Comment 4 Mark Pellegrini 2006-04-26 23:27:26 UTC
Example:
http://en.wikipedia.org/w/index.php?title=Talk:Wikitruth&diff=50327924&oldid=50318100

http:///www.foo.org (notice the three slashes) is also an effective work around. 

Comment 5 Rob Church 2006-04-28 23:18:59 UTC
Second exploit should now be fixed in trunk, r13912.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links