Page MenuHomePhabricator

Phriction page links using URL encoding can be retargeted without editing
Closed, WontfixPublic


I'm fixing T12344, but the fix means that a user can do this:

  • Write a document with a link to [[ %24doge ]].
  • This will link to w/24doge/. Create a "Good" page there. Work hard to build trust in the document.
  • Later, create an "Evil" page at w/$doge/.
  • Delete or move the page at w/24doge/.
  • Today, this does nothing. Wait until we perhaps some day change the remarkup rule so that linking to a deleted or moved page treats it as though it does not exist. We may or may not ever do this.
  • At that far-future date, because w/$doge/ exists and w/24doge/ no longer exists, [[ %24doge ]] is now a link to the "Evil" page even though the content of the document containing the link was not edited.

This attack seems completely absurd to me -- and I don't see any real way around it -- so I'm not planning to fix it and mention it here only for completeness.

Event Timeline

epriestley triaged this task as Wishlist priority.
epriestley created this task.

A similar "attack" is to send a link to two destinations based on the viewer:

  • Link to [[ %24doge ]].
  • Create w/$doge/.
  • Create w/24doge/.

Users who have permission to see w/24doge/ will see the link as pointing there.

Users who have permission to see w/$doge/, but do not have permission to see w/24doge/, will see the link as pointing to w/$doge/.

Fixing this would imply a mild performance penalty for everyone and this attack doesn't seem like a real threat so I'm not planning to change this behavior.