[Moin-user] Using a redirect script for external links

Ry4an Brase ry4an-moin at ry4an.org
Sat Mar 12 10:33:25 EST 2005

On Thu, Mar 10, 2005 at 03:41:39PM -0800, Yusuf Abdulghani wrote:
> Interesting. This could be an optional security feature in the next 
> version of MoinMoin.

Were it added to MoinMoin, I suspect the easiest way to do it would be
to just create a 'redirect' action, which would be invoked like:


Then in url() in formatter/text_html.py a config option would just check
the redirection-scrub-desired setting and munge the URL right after this

        url = wikiutil.mapURL(self.request, url)

If it looked like an external http: or https: link you'd just prepend:


to it.

> BTW, where did you put the redirect.pl script? In your wiki's top-level 
> directory?

That's where I script-aliases it, yeah, but it could exist anywhere --
one could even just point to one of the many open redirects in the
wild.  There's one at http://www.algonet.se/~ug/html+pycgi, which looks
like this when used as a GET:


Thus, a mapping configuration like this:

url_mappings = {
    'http://': 'http://cgi.algonet.se/htbin/cgiwrap/ug/redirect.py?url=http://',
    'https://': 'http://cgi.algonet.se/htbin/cgiwrap/ug/redirect.py?url=https://'

should work with no further configuration.

However, it's probably pretty tacky to use someone else's open redirect
when you can set your own up in three lines of python.

Ry4an Brase - http://ry4an.org/unblog/

More information about the Moin-user mailing list