Skip to content
This repository has been archived by the owner on Nov 6, 2023. It is now read-only.

Forbid * in the middle of the target host #4369

Closed
RReverser opened this issue Mar 14, 2016 · 6 comments
Closed

Forbid * in the middle of the target host #4369

RReverser opened this issue Mar 14, 2016 · 6 comments
Labels
performance

Comments

@RReverser
Copy link
Contributor

As @jsha pointed in #2981 (comment):

Agreed we want to remove internal * in target hosts, and remove it from support in the rewriter.

So decided to create an issue for 1) removal of support for this in rewriter code 2) having tests that check against such <target host /> occurences.
@RReverser
Copy link
Contributor Author

RReverser commented Sep 1, 2017
edited
Loading

Looks like after #2981 was fixed by #3603, some new cases appeared:

src/chrome/content/rules/Argonne-National-Laboratory.xml:	<target host="www.*.anl.gov" />
src/chrome/content/rules/General-Electric.xml:	<target host="files.*.geblogs.com"/>
src/chrome/content/rules/GPLHost.xml:	<target host="dtc.*.gplhost.com"/>
src/chrome/content/rules/Monster.xml:	<target host="hiring.*.monster.com" />
src/chrome/content/rules/OnSugar.xml:	<target host="secure.*.onsugar.com" />
src/chrome/content/rules/OnSugar.xml:	<target host="www.*.onsugar.com" />
src/chrome/content/rules/Projectplace.com.xml:	<target host="projectplace.*.dimelo.com" />
src/chrome/content/rules/Truenudists.com.xml:	<target host="cdn.*.truenudists.com" />
src/chrome/content/rules/United-States-Department-of-Energy.xml:	<target host="www.*.doe.gov" />
src/chrome/content/rules/University-of-Alaska.xml:	<target host="www.*.alaska.edu" />
src/chrome/content/rules/University-of-Bern.xml:	<target host="www.*.unibe.ch" />
src/chrome/content/rules/University-of-Idaho.xml:	<target host="www.*.uidaho.edu" />
src/chrome/content/rules/University-of-Southampton.xml:	<target host="www.*.soton.ac.uk" />
src/chrome/content/rules/University_of_Houston.xml:	<target host="www.*.uh.edu" />
src/chrome/content/rules/University_of_Maine.xml:	<target host="www.*.umaine.edu" />
src/chrome/content/rules/US-Dept-of-Veterans-Affairs.xml:	<target host="www.*.vaforvets.va.gov" />
src/chrome/content/rules/US-Dept-of-Veterans-Affairs.xml:	<target host="www.*.vba.va.gov" />
src/chrome/content/rules/US-military.xml:	<target host="usarmy.*.llnwd.net" />
src/chrome/content/rules/Wikidot.xml:	<target host="1.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="2.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="3.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="4.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="5.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="6.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="7.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="8.*.wdfiles.com"/>
src/chrome/content/rules/Wikidot.xml:	<target host="9.*.wdfiles.com"/>

cc @fuglede @jsha @Hainish @Bisaloo - can we attempt to fix these and, this time, add a linter rule to prevent adding similar rules in future?

RReverser added a commit to RReverser/https-everywhere that referenced this issue Sep 1, 2017
@RReverser
Fix wildcard-in-the-middle in Wikidot.xml
810df76 
See EFForg#4369. These targets are also excessive.
@RReverser RReverser mentioned this issue Sep 1, 2017
Closed
RReverser added a commit to RReverser/https-everywhere that referenced this issue Sep 1, 2017
@RReverser
Fix wildcard-in-the-middle for US-military.xml
4b9a018 
See EFForg#4369. Only these subdomains seem to be matched by a regexp.
@RReverser RReverser mentioned this issue Sep 1, 2017
Closed
@ghost
Copy link

ghost commented Sep 1, 2017
edited by ghost
Loading

I guess this will protect our extension from wildcard-in-the-middle attacks. 😄

@RReverser RReverser mentioned this issue Sep 1, 2017
Closed
RReverser added a commit to RReverser/https-everywhere that referenced this issue Sep 1, 2017
@RReverser
Update Argonne-National-Laboratory.xml
9cfff28 
See EFForg#4369. Target is excessive.
@RReverser RReverser mentioned this issue Sep 1, 2017
Closed
RReverser added a commit to RReverser/https-everywhere that referenced this issue Sep 1, 2017
@RReverser
Fix wildcard-in-the-middle in General-Electric.xml
cfdbd15 
See EFForg#4369
@RReverser RReverser mentioned this issue Sep 1, 2017
Merged
RReverser added a commit to RReverser/https-everywhere that referenced this issue Sep 1, 2017
@RReverser
Fix wildcard-in-the-middle in OnSugar.xml
0f973c8 
See EFForg#4369. These targets are excessive here.
@RReverser RReverser mentioned this issue Sep 1, 2017
Closed
@cschanaj cschanaj mentioned this issue Sep 1, 2017
Closed
24 tasks
This was referenced Sep 1, 2017
Merged
Merged
@Bisaloo
Copy link
Collaborator

Bisaloo commented Sep 2, 2017
edited by pipboy96
Loading

@Bisaloo Bisaloo mentioned this issue Sep 3, 2017
Merged
@jeremyn jeremyn mentioned this issue Dec 18, 2017
Merged
@jeremyn
Copy link
Contributor

jeremyn commented Dec 18, 2017

@Bisaloo I've replaced PR #12314 with my new PR #14011. Please update #4369 (comment) above.

@redbrain redbrain mentioned this issue Sep 4, 2018
Closed
pipboy96 pushed a commit that referenced this issue Mar 27, 2019
@RReverser @pipboy96
Fix wildcard-in-the-middle in General-Electric.xml (#12317)
16e6c2b 
* Fix wildcard-in-the-middle in General-Electric.xml

See #4369

* [GEBlogs.com] Add rule, test urls and top comment

* Rename General-Electric.xml to GEBlogs.com.xml

* Update GEBlogs.com.xml

* Update GEBlogs.com.xml

* Update GEBlogs.com.xml

* Update GEBlogs.com.xml

* Update GEBlogs.com.xml

* Update GEBlogs.com.xml

* Update GEBlogs.com.xml

* Update GEBlogs.com.xml
@pipboy96
Copy link
Contributor

🎉

@zoracon
Copy link
Contributor

zoracon commented Apr 1, 2019
edited
Loading

Tying in related PR #12319

zoracon added a commit to zoracon/https-everywhere that referenced this issue Apr 1, 2019
@zoracon
Remove wild-card-in-the-middle check in rules.js
2c5e193 
Related to removing wildcard in the middle support EFForg#4369
Related EFForg#12319
@zoracon zoracon mentioned this issue Apr 1, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
performance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jeremyn @RReverser @zoracon @J0WI @Bisaloo @pipboy96