Page MenuHomePhabricator
Create Task
Maniphest T13084

Phriction page links using URL encoding can be retargeted without editing
Closed, WontfixPublic
Actions

Description

I'm fixing T12344, but the fix means that a user can do this:

  • Write a document with a link to [[ %24doge ]].
  • This will link to w/24doge/. Create a "Good" page there. Work hard to build trust in the document.
  • Later, create an "Evil" page at w/$doge/.
  • Delete or move the page at w/24doge/.
  • Today, this does nothing. Wait until we perhaps some day change the remarkup rule so that linking to a deleted or moved page treats it as though it does not exist. We may or may not ever do this.
  • At that far-future date, because w/$doge/ exists and w/24doge/ no longer exists, [[ %24doge ]] is now a link to the "Evil" page even though the content of the document containing the link was not edited.

This attack seems completely absurd to me -- and I don't see any real way around it -- so I'm not planning to fix it and mention it here only for completeness.

Related Objects

Event Timeline

epriestley closed this task as Wontfix.Feb 16 2018, 2:23 PM
epriestley triaged this task as Wishlist priority.
epriestley created this task.
Herald added subscribers: cburroughs, andypuettmann, eadler, revi. · View Herald TranscriptFeb 16 2018, 2:23 PM
epriestley added a comment.Feb 16 2018, 2:41 PM

A similar "attack" is to send a link to two destinations based on the viewer:

  • Link to [[ %24doge ]].
  • Create w/$doge/.
  • Create w/24doge/.

Users who have permission to see w/24doge/ will see the link as pointing there.

Users who have permission to see w/$doge/, but do not have permission to see w/24doge/, will see the link as pointing to w/$doge/.

Fixing this would imply a mild performance penalty for everyone and this attack doesn't seem like a real threat so I'm not planning to change this behavior.

epriestley mentioned this in D19106: Accept either "[[ %24doge ]]" or "[[ $doge ]]" as references to the "/w/$doge/" Phriction document.Feb 16 2018, 2:44 PM
epriestley mentioned this in rPb8bb4d3ad590: Accept either "[[ %24doge ]]" or "[[ $doge ]]" as references to the "/w/$doge/"….Feb 16 2018, 5:55 PM
epriestley mentioned this in 2018 Week 7 (Mid February).Feb 16 2018, 10:04 PM
Phabricator · Built by Phacility