2009/9/5 David Gerard <dgerard(a)gmail.com>om>:
See this talk page:
http://en.wikipedia.org/wiki/User_talk:189.148.6.25
The poster purports to be a journalist experimenting with putting
toxic links on Wikipedia to see who will follow them.
Although his actions were IMO dickish, he has some point: is there any
reason to allow .exe links on WMF sites? Is there a clean method to
disable them? Is this a bad idea for any reason? What should default
settings be in MediaWiki itself? etc., etc.
The relevant edits have been oversighted so I can't tell what kind of
URLs they were. If they were like "www.foo.com/bar.exe" then we can
easily stop them by not parsing URLs that end ".exe". There will be
some false positives (eg.
http://en.wikipedia.org/wiki/.exe although
that is only a redirect, so no real harm), but it shouldn't involve
more than a slight change to 1 or 2 lines of code, unless I'm missing
something. Something more advanced that would actually block
executables, rather than just things with an exe extension would
require actually following the link, which is probably too slow to be
practical (it would have to be done on rendering, rather than saving,
otherwise you can just change what is at the other end of the link
after saving the page).
Is there any great risk here, though? Modern browsers won't run such
an executable (at least not without big scary warnings which, of
course, we never just blindly click through).