[Moin-user] Using a redirect script for external links
Ry4an Brase
ry4an-moin at ry4an.org
Sat Mar 12 10:33:25 EST 2005
On Thu, Mar 10, 2005 at 03:41:39PM -0800, Yusuf Abdulghani wrote:
> Interesting. This could be an optional security feature in the next
> version of MoinMoin.
Were it added to MoinMoin, I suspect the easiest way to do it would be
to just create a 'redirect' action, which would be invoked like:
http://ry4an.org/unblog?action=redirect&url=http://external/target/url
Then in url() in formatter/text_html.py a config option would just check
the redirection-scrub-desired setting and munge the URL right after this
line:
url = wikiutil.mapURL(self.request, url)
If it looked like an external http: or https: link you'd just prepend:
<base>?action=redirect&url=
to it.
> BTW, where did you put the redirect.pl script? In your wiki's top-level
> directory?
That's where I script-aliases it, yeah, but it could exist anywhere --
one could even just point to one of the many open redirects in the
wild. There's one at http://www.algonet.se/~ug/html+pycgi, which looks
like this when used as a GET:
http://cgi.algonet.se/htbin/cgiwrap/ug/redirect.py?url=http://ry4an.org
Thus, a mapping configuration like this:
url_mappings = {
'http://': 'http://cgi.algonet.se/htbin/cgiwrap/ug/redirect.py?url=http://',
'https://': 'http://cgi.algonet.se/htbin/cgiwrap/ug/redirect.py?url=https://'
}
should work with no further configuration.
However, it's probably pretty tacky to use someone else's open redirect
when you can set your own up in three lines of python.
--
Ry4an Brase - http://ry4an.org/unblog/
More information about the Moin-user
mailing list