2009/9/5 Thomas Dalton thomas.dalton@gmail.com:
The relevant edits have been oversighted so I can't tell what kind of URLs they were. If they were like "www.foo.com/bar.exe" then we can easily stop them by not parsing URLs that end ".exe".
It was on Rapidshare. It was of the form:
http://xxx123.rapidshare.de/123456789/InnocentToxicWaste.exe
- so it didn't link directly to the file itself, even - but to the page about the file.
There will be some false positives (eg. http://en.wikipedia.org/wiki/.exe although that is only a redirect, so no real harm),
I forgot about that. Given that exes could be on *any* sort of page, any collateral damage suggests this is a pointless bit of security theatre ...
but it shouldn't involve more than a slight change to 1 or 2 lines of code, unless I'm missing something. Something more advanced that would actually block executables, rather than just things with an exe extension would require actually following the link, which is probably too slow to be practical (it would have to be done on rendering, rather than saving, otherwise you can just change what is at the other end of the link after saving the page).
As I noted, in this case the link actually went to a download page, not directly to the .exe. He still got five people to download it.
Is there any great risk here, though? Modern browsers won't run such an executable (at least not without big scary warnings which, of course, we never just blindly click through).
*cough*
- d.