Last modified: 2011-03-13 18:05:52 UTC
It should not be possible to make the MediaWiki software render links of any sort to literal loopback, RFC1918, or zeroconf IP addresses from within the Wikipedia software, since these a) cannot possibly benefit Wikipedia, since they are not publically routable, and thus can never link to any publicly-available resource b) could potentially be used for cross-site request attacks on badly-programmed network devices or host-local services which accept commands to their Web-based control interfaces via HTTP GET at well-known IP addresses (for examples ADSL routers, printers) This should be the default for Wikimedia sites: I can think of some valid uses for this within private MediaWiki sites, so perhaps this feature should be controlled by a site-settable option. This can be achieved by preventing links being created for URLs with the following regexp patterns [a-z]+://127\.[0-9]+\.[0-9]+\.[0-9:]+ [a-z]+://127\.[0-9]+\.[0-9]+\.[0-9:]+/.* [a-z]+://10\.[0-9]+\.[0-9]+\.[0-9:]+ [a-z]+://10\.[0-9]+\.[0-9]+\.[0-9:]+/.* [a-z]+://172\.[12][0-9]\.[0-9]+\.[0-9:]+ [a-z]+://172\.[12][0-9]\.[0-9]+\.[0-9:]+/.* [a-z]+://172\.3[01]\.[0-9]+\.[0-9:]+ [a-z]+://172\.3[01]\.[0-9]+\.[0-9:]+/.* [a-z]+://192\.168\.[0-9]+\.[0-9:]+ [a-z]+://192\.168\.[0-9]+\.[0-9:]+/.* [a-z]+://169\.254\.[0-9]+\.[0-9:]+ [a-z]+://169\.254\.[0-9]+\.[0-9:]+/.*
When impementing this, it also would make sense to block all-numberic IP address representations in URLs, since a) they are a historic relic of browser implementation that is now only ever used to maliciously obfuscate IP addresses. b) they could potentially be used to get around the blocks above, by obfuscating the various non-routable addresses above These can be blocked with the following regexps: [a-z]+://[0-9]+ [a-z]+://[0-9]+/.*
IPv6 loopback and link-local addresses should also be blocked: but they are far less of a threat than the above, due to the lack of deployment of IPv6
Correction to comment #1: Those regexps do not take into account port numbers, they should be [a-z]+://[0-9]+:?[0-9]* [a-z]+://[0-9]+:?[0-9]*/.* instead of the versions given in comment #1. (Note that only addresses with zero or one colons are blocked: this is to prevent the blocking of literal IPv6 addresses).
How many such links already exist on WMF projects? It would be a bad idea to break a ton of links.
I tend to be skeptical, but perhaps there would be some reason to do this. Whole-URL regexes probably aren't the best place though; would be cleabner to check within the url normalizaiton.
What about internal company wikis? This needs to be an on/off switch feature.
See the bug description, where I explicitly mentioned this. Another approach to the same problem might be to put these regexps into the existing spam blocker list, in which case there should be no need to add this to the software as an explicit feature, although this would mean that a full scan of the entire database would be needed to root out any old copies of such URLs that are already in the wiki.
(In reply to comment #5) > I tend to be skeptical, but perhaps there would be some reason to do this. > > Whole-URL regexes probably aren't the best place though; would be cleabner to check within the url normalizaiton. I don't see the use for this. Just more overhead.
It is also completely pointless. A perfect example of security got completely wrong. See, for example: http://example.gotdns.org/ I just created this hostname that points to 192.168.1.100 (the address used by several home ADSL modems) in a few seconds using a free DNS hosting service in the internet. How would MediaWiki possibly detect such address as local?
