2009/9/5 Thomas Dalton <thomas.dalton(a)gmail.com>om>:
The relevant edits have been oversighted so I
can't tell what kind of
URLs they were. If they were like "www.foo.com/bar.exe" then we can
easily stop them by not parsing URLs that end ".exe".
It was on Rapidshare. It was of the form:
http://xxx123.rapidshare.de/123456789/InnocentToxicWaste.exe
- so it didn't link directly to the file itself, even - but to the
page about the file.
There will be
some false positives (eg.
http://en.wikipedia.org/wiki/.exe although
that is only a redirect, so no real harm),
I forgot about that. Given that exes could be on *any* sort of page,
any collateral damage suggests this is a pointless bit of security
theatre ...
but it shouldn't involve
more than a slight change to 1 or 2 lines of code, unless I'm missing
something. Something more advanced that would actually block
executables, rather than just things with an exe extension would
require actually following the link, which is probably too slow to be
practical (it would have to be done on rendering, rather than saving,
otherwise you can just change what is at the other end of the link
after saving the page).
As I noted, in this case the link actually went to a download page,
not directly to the .exe. He still got five people to download it.
Is there any great risk here, though? Modern browsers
won't run such
an executable (at least not without big scary warnings which, of
course, we never just blindly click through).
*cough*
- d.