-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Let's say example.com and example.net are blacklisted, but subsite.example.com is whitelisted.
Then, subsite.example.com.example.net is allowed. Isn't this incorrect behavior? Too tired to file/check for a Bugzilla report...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Edward Z. Yang wrote:
Let's say example.com and example.net are blacklisted, but subsite.example.com is whitelisted.
Then, subsite.example.com.example.net is allowed. Isn't this incorrect behavior?
Maybe you wanted a more precise regex?
- -- brion vibber (brion @ pobox.com)
"Edward Z. Yang" edwardzyang@thewritingpot.com wrote in message news:ekb6hl$r7k$1@sea.gmane.org...
Let's say example.com and example.net are blacklisted, but subsite.example.com is whitelisted.
Then, subsite.example.com.example.net is allowed. Isn't this incorrect behavior? Too tired to file/check for a Bugzilla report...
Does a similar behaviour occur, if you have badsite.com blacklisted and goodsite.com whitelisted? i.e. would goodsite.com.badsite.com work? If so that is a lot more serious!
- Mark Clements (HappyDog)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mark Clements wrote:
Does a similar behaviour occur, if you have badsite.com blacklisted and goodsite.com whitelisted? i.e. would goodsite.com.badsite.com work? If so that is a lot more serious!
Yes. Try it yourself.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Edward Z. Yang wrote:
Mark Clements wrote:
Does a similar behaviour occur, if you have badsite.com blacklisted and goodsite.com whitelisted? i.e. would goodsite.com.badsite.com work? If so that is a lot more serious!
Yes. Try it yourself.
As I mentioned before, this is presumably because you're using a straight regex, with no anchor at the end, so it'll match subsets of a hostname.
It's debatable whether that's actually ever desirable behavior, though. It might be wise to assume that a whitelist/blacklist entry with no '/' is meant to anchor at the end of the hostname and slip that in silently.
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brion Vibber wrote:
As I mentioned before, this is presumably because you're using a straight regex, with no anchor at the end, so it'll match subsets of a hostname.
I was thinking that too. It would be quite easy to fix on the whitelist end by tacking on loads of $. However...
It's debatable whether that's actually ever desirable behavior, though. It might be wise to assume that a whitelist/blacklist entry with no '/' is meant to anchor at the end of the hostname and slip that in silently.
That's what I think too. By default, whitelist definitions need to be a bit stricter. No one really minds if badsite.com.newsite.com is blocked (extremely strange subdomain conventions on newsite.com to say the least), but the reverse can be manipulated by domain squatters who have all their subdomains pointing at a generic home page.
Granted, it doesn't seem to be a pressing issue, but we may have just violated [[WP:BEANS]].
wikitech-l@lists.wikimedia.org