PHPBB3-14527 Dataloss caused by link shortening (maybe)

Discuss requests for comments/changes posted in the Issue Tracker for the development of phpBB. Upcoming releases are 3.2/Rhea and 3.3.
Joe User
Registered User
Posts: 32
Joined: Mon Sep 13, 2004 10:10 am
Location: Germany
Contact:

Re: PHPBB3-14527 Dataloss caused by link shortening (maybe)

Post by Joe User » Fri Mar 25, 2016 8:19 pm

Sorry, wasn't meant to be abrasive tone, just a proposed fix.
FreeBSD Remote InstallationPayPal.Me/JoeUser
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task,
and one of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 297
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: PHPBB3-14527 Dataloss caused by link shortening (maybe)

Post by Nicofuma » Fri Mar 25, 2016 9:46 pm

What "buggy hardcoding" are you talking about?
Member of the phpBB Development-Team
No Support via PM

Joe User
Registered User
Posts: 32
Joined: Mon Sep 13, 2004 10:10 am
Location: Germany
Contact:

Re: PHPBB3-14527 Dataloss caused by link shortening (maybe)

Post by Joe User » Fri Mar 25, 2016 11:24 pm

The hardcoded rewrite of

Code: Select all

[nonalpha]www.something
to

Code: Select all

[nonalpha]http://www.something
like [nonalpha]www.something or (nonalpha)www.something or /nonalpha/www.something or .nonalpha.www.something

Hopefully it is more clear now what i mean. Thanks.
FreeBSD Remote InstallationPayPal.Me/JoeUser
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task,
and one of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

User avatar
JoshyPHP
Registered User
Posts: 350
Joined: Fri Jul 08, 2011 9:43 pm

Re: PHPBB3-14527 Dataloss caused by link shortening (maybe)

Post by JoshyPHP » Sat Mar 26, 2016 6:20 pm

Technically it's not really rewritten as the text stays the same, it's just linked via the HTTP scheme. The text stays the same when you edit it, it stays the same when you read it. Personally I don't think that linking www. URLs is particularly useful but it's been a feature for many years and I don't think false positives impact usability in any meaningful way.

About requiring the www. URL to be preceded with whitespace, I think it creates more problems than it solves. For instance, it would prevent (www.example.org) and [b]www.example.org[/b] from being linked.

If you don't like www. URLs, you can write an extension that disables it. Use the core.text_formatter_s9e_configure_after and force the Autolink plugin to be reloaded without support for it. If you feel fancy you can implement a similar feature using the Preg plugin and your own regexp.

Code: Select all

$event['configurator']->plugins->load('Autolink', ['matchWww' => false]);
$event['configurator']->Preg->match('/(?<!\\S)(?P<url>www\\.\\S+)/', 'URL');

Joe User
Registered User
Posts: 32
Joined: Mon Sep 13, 2004 10:10 am
Location: Germany
Contact:

Re: PHPBB3-14527 Dataloss caused by link shortening (maybe)

Post by Joe User » Sat Mar 26, 2016 11:46 pm

JoshyPHP wrote:
Sat Mar 26, 2016 6:20 pm
it's been a feature for many years and I don't think false positives impact usability in any meaningful way.
OK, if unnecessary queries of DNS records that modern Clients (Browsers and Searchengines) do for prefetching and the like are no impact to usability (they cost time and bandwith, think of mobile devices) and also the privacy concerns (those DNS queries can be used for tracking and more) especially for users in and from some states like china are no problem, then let this "feature" in.

So for the privacy concerns alone this "feature" should be removed as soon as possible, at least make it configureable with default to off, please, thanks.

This is a real (technical and ethical) problem and should be fixed.


BTW: By using phpBB in the Tor/Darkweb this becomes also a security problem...
FreeBSD Remote InstallationPayPal.Me/JoeUser
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task,
and one of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 123
Joined: Thu Sep 09, 2010 11:36 am
Location: Munich, Germany

Re: PHPBB3-14527 Dataloss caused by link shortening (maybe)

Post by Marc » Sun Mar 27, 2016 9:09 am

You don't seem to understand what DNS prefetch actually does. While you're claiming it slows things down and costs bandwith, it does actually reduce latency and barely uses any bandwidth (typical size of request < 512 Bytes).

There are also plenty of tools that allow disabling DNS prefetching. Increasing load times, latency, and therefore imposing bad usability onto users based on overambitious privacy concerns is certainly not the way to go. If you require this extreme privacy then it should be you who imposes that. Again, there are plenty of tools that make this incredibly easy for you and there is no need to impose this for everyone and making everyone suffer for the sake of very very few people.
This is therefore neither a technical nor an ethical problem. If you're using phpBB in the Darkweb you should take extra measures. Then again, this is your responsibility and a mere edge case that shouldn't mean everyone else has to suffer based on your choices.

Post Reply