2009/9/5 Thomas Dalton <thomas.dal...@gmail.com>: > The relevant edits have been oversighted so I can't tell what kind of > URLs they were. If they were like "www.foo.com/bar.exe" then we can > easily stop them by not parsing URLs that end ".exe".
It was on Rapidshare. It was of the form: http://xxx123.rapidshare.de/123456789/InnocentToxicWaste.exe - so it didn't link directly to the file itself, even - but to the page about the file. > There will be > some false positives (eg. http://en.wikipedia.org/wiki/.exe although > that is only a redirect, so no real harm), I forgot about that. Given that exes could be on *any* sort of page, any collateral damage suggests this is a pointless bit of security theatre ... > but it shouldn't involve > more than a slight change to 1 or 2 lines of code, unless I'm missing > something. Something more advanced that would actually block > executables, rather than just things with an exe extension would > require actually following the link, which is probably too slow to be > practical (it would have to be done on rendering, rather than saving, > otherwise you can just change what is at the other end of the link > after saving the page). As I noted, in this case the link actually went to a download page, not directly to the .exe. He still got five people to download it. > Is there any great risk here, though? Modern browsers won't run such > an executable (at least not without big scary warnings which, of > course, we never just blindly click through). *cough* - d. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l