2009/9/5 David Gerard dgerard@gmail.com:
See this talk page:
http://en.wikipedia.org/wiki/User_talk:189.148.6.25
The poster purports to be a journalist experimenting with putting toxic links on Wikipedia to see who will follow them.
Although his actions were IMO dickish, he has some point: is there any reason to allow .exe links on WMF sites? Is there a clean method to disable them? Is this a bad idea for any reason? What should default settings be in MediaWiki itself? etc., etc.
The relevant edits have been oversighted so I can't tell what kind of URLs they were. If they were like "www.foo.com/bar.exe" then we can easily stop them by not parsing URLs that end ".exe". There will be some false positives (eg. http://en.wikipedia.org/wiki/.exe although that is only a redirect, so no real harm), but it shouldn't involve more than a slight change to 1 or 2 lines of code, unless I'm missing something. Something more advanced that would actually block executables, rather than just things with an exe extension would require actually following the link, which is probably too slow to be practical (it would have to be done on rendering, rather than saving, otherwise you can just change what is at the other end of the link after saving the page).
Is there any great risk here, though? Modern browsers won't run such an executable (at least not without big scary warnings which, of course, we never just blindly click through).