Problem with whitelists

List overview All Threads
Download

newer

older

Kabyle wikipedia [2] In need of a...

Re: [Wikitech-l] [Bug 7948]...

Edward Z. Yang

26 Nov 2006 26 Nov '06

12:52 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Let's say example.com and example.net are blacklisted, but subsite.example.com is whitelisted. Then, subsite.example.com.example.net is allowed. Isn't this incorrect behavior? Too tired to file/check for a Bugzilla report...

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFaR1yqTO+fYacSNoRAoNeAJ91tOJiwZHOxFpIkI6rn6TuPb3JiACcCjEG he0UxEL21cG3iEe75F5iePA= =+SdR -----END PGP SIGNATURE-----

Show replies by date

Brion Vibber

27 Nov 27 Nov

12:13 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Z. Yang wrote:

...

Let's say example.com and example.net are blacklisted, but subsite.example.com is whitelisted. Then, subsite.example.com.example.net is allowed. Isn't this incorrect behavior?

Maybe you wanted a more precise regex? - -- brion vibber (brion @ pobox.com)

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFab04wRnhpk1wk44RAlmdAKC2P0/7WnAGr6o1ut9CmNLKTNQBwACg0G7i C0IRMnWSHtsIucI2rSr2gAg= =rmwH -----END PGP SIGNATURE-----

Mark Clements

5:17 p.m.

"Edward Z. Yang" <edwardzyang(a)thewritingpot.com> wrote in message news:ekb6hl$r7k$1@sea.gmane.org...

...

Let's say example.com and example.net are blacklisted, but subsite.example.com is whitelisted. Then, subsite.example.com.example.net is allowed. Isn't this incorrect behavior? Too tired to file/check for a Bugzilla report...

Does a similar behaviour occur, if you have badsite.com blacklisted and goodsite.com whitelisted? i.e. would goodsite.com.badsite.com work? If so that is a lot more serious! - Mark Clements (HappyDog)

Edward Z. Yang

28 Nov 28 Nov

5:21 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Clements wrote:

...

Does a similar behaviour occur, if you have badsite.com blacklisted and goodsite.com whitelisted? i.e. would goodsite.com.badsite.com work? If so that is a lot more serious!

Yes. Try it yourself.

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFa1bvqTO+fYacSNoRAlmgAJ9jEZmTp/tXRvN1TAAh+B4RrK0qNwCdEsti l9aOzK2Tt9TEaz2rBagWmC0= =UyB1 -----END PGP SIGNATURE-----

Brion Vibber

6:03 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Z. Yang wrote:

...

Mark Clements wrote:

Does a similar behaviour occur, if you have badsite.com blacklisted and goodsite.com whitelisted? i.e. would goodsite.com.badsite.com work? If so that is a lot more serious!

Yes. Try it yourself.

As I mentioned before, this is presumably because you're using a straight regex, with no anchor at the end, so it'll match subsets of a hostname. It's debatable whether that's actually ever desirable behavior, though. It might be wise to assume that a whitelist/blacklist entry with no '/' is meant to anchor at the end of the hostname and slip that in silently. - -- brion vibber (brion @ pobox.com)

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFa2CgwRnhpk1wk44RAmknAKDFFxSOQDyo3ta8QndQnIb3caQLMwCfRPE2 I8EDliV81+hrCjFDXNSUnjk= =vrWm -----END PGP SIGNATURE-----

Edward Z. Yang

6:11 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brion Vibber wrote:

...

As I mentioned before, this is presumably because you're using a straight regex, with no anchor at the end, so it'll match subsets of a hostname.

I was thinking that too. It would be quite easy to fix on the whitelist end by tacking on loads of $. However...

...

It's debatable whether that's actually ever desirable behavior, though. It might be wise to assume that a whitelist/blacklist entry with no '/' is meant to anchor at the end of the hostname and slip that in silently.

That's what I think too. By default, whitelist definitions need to be a bit stricter. No one really minds if badsite.com.newsite.com is blocked (extremely strange subdomain conventions on newsite.com to say the least), but the reverse can be manipulated by domain squatters who have all their subdomains pointing at a generic home page. Granted, it doesn't seem to be a pressing issue, but we may have just violated [[WP:BEANS]].

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFa2KnqTO+fYacSNoRAsp4AJ0TbBF/zoy2VHFW3oI04bZwbKRP0gCdFtkX 9s40qG0WkVUEPNy0XKnl+bs= =97HV -----END PGP SIGNATURE-----

6384

days inactive

6385

days old

wikitech-l@lists.wikimedia.org

Manage subscription

5 comments

3 participants

tags (0)

participants (3)

Brion Vibber
Edward Z. Yang
Mark Clements