People can, and have, externally linked to malicious software from our sites.
I remember the time that hit the news about three months ago, and almost all outlets wrote the software was actually uploaded to our site.
Of course, that can happen anywhere on the net and users (and their browser software) should be smart enough not to execute such code, but Wikipedia looks rather respectable so people may be more inclined to bypass security measures based on something on our site.
Okay, so none of this stuff would be automatically loading, it would all be "This site is requesting you activate ****.*** [Yes] [No]" sort of thing?
At the moment there are 209 external links to .exe files from the main namespace of English Wikipedia.
Is there a list of where these links are, so they can be reviewed? Or have they indeed already been reviewed? If they're linking to freeware or open source programs, for example, they likely should all be linking to a product page, not directly to the download.
At the moment there are 209 external links to .exe files from the main namespace of English Wikipedia.
Is there a list of where these links are, so they can be reviewed? Or have they indeed already been reviewed? If they're linking to freeware or open source programs, for example, they likely should all be linking to a product page, not directly to the download.
Indeed. I can't see any reason for a direct link to an exe in a Wikipedia article.
On Aug 2, 2007, at 10:23 AM, Thomas Dalton wrote:
At the moment there are 209 external links to .exe files from the main namespace of English Wikipedia.
Is there a list of where these links are, so they can be reviewed? Or have they indeed already been reviewed? If they're linking to freeware or open source programs, for example, they likely should all be linking to a product page, not directly to the download.
Indeed. I can't see any reason for a direct link to an exe in a Wikipedia article.
foundation-l mailing list foundation-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/foundation-l
Does the bot/script detect things like say, .php download pages that automatically download a .exe file upon loading?
-Dan Rosenthal
Thomas Dalton wrote:
Does the bot/script detect things like say, .php download pages that automatically download a .exe file upon loading?
I doubt it, but no decent browser would fool for that without giving the user a pretty big warning.
Just the same warning you get when you click a link that ends in .exe.
-- brion vibber (brion @ wikimedia.org)
On 8/2/07, Dan Rosenthal swatjester@gmail.com wrote:
Does the bot/script detect things like say, .php download pages that automatically download a .exe file upon loading?
I'm not aware of anyone who has checked our EL's for sites which give executable mime types for URLs we wouldn't expect to be executable.
It could be done and should be done.. but doing it in bulk takes time because we have a *huge* number of external links.
On 02/08/2007, Gregory Maxwell gmaxwell@gmail.com wrote:
On 8/2/07, Dan Rosenthal swatjester@gmail.com wrote:
Does the bot/script detect things like say, .php download pages that automatically download a .exe file upon loading?
I'm not aware of anyone who has checked our EL's for sites which give executable mime types for URLs we wouldn't expect to be executable.
It could be done and should be done.. but doing it in bulk takes time because we have a *huge* number of external links.
I have started work on a script to do this. It will take me a few more days to complete (trying to track down some funny bugs), but it will probably take even longer for the script to actually run.
foundation-l mailing list foundation-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/foundation-l
_UH.
On 8/2/07, Nicholas Moreau nicholasmoreau@gmail.com wrote:
People can, and have, externally linked to malicious software from our sites.
I remember the time that hit the news about three months ago, and almost all outlets wrote the software was actually uploaded to our site.
Yes and that wasn't accurate.
Of course, that can happen anywhere on the net and users (and their browser software) should be smart enough not to execute such code, but Wikipedia looks rather respectable so people may be more inclined to bypass security measures based on something on our site.
Okay, so none of this stuff would be automatically loading, it would all be "This site is requesting you activate ****.*** [Yes] [No]" sort of thing?
Right. It would be a 'click the link', then your browser would download and say 'Are you sure you want to run this probably malicious software, "Brittney_spears_boobies.exe"?', then the user clicks yes. ;)
At the moment there are 209 external links to .exe files from the main namespace of English Wikipedia.
Is there a list of where these links are, so they can be reviewed?
I've listed them in the past and went through and fixed a bunch of them myself. I think there were far feaer then and I removed many of them... :(
I've put up a list: http://en.wikipedia.org/wiki/User:Gmaxwell/extff/exe
You can see the older version in the history of the page.. I think that might have been the list after I'd already made one pass at removing them.
Or have they indeed already been reviewed? If they're linking to freeware or open source programs, for example, they likely should all be linking to a product page, not directly to the download.
You are absolutely correct.
I'd say we should deny, by policy and possibly technical means, external linking to URLs with certian names or which transmit certian mime types...
Actually pulling it off might be hard: a number of the exe's are really just ZIP files converted into self-extracting archives. The data in them may not be easily available in other forms. There is almost certantly a launch page for these, but finding them when all you know is the deep link name can be hard.
wikimedia-l@lists.wikimedia.org