MediaWiki talk:External image whitelist

Statcounter
Hello!

jedi.wikia.com Thank you for your time. I would like to insert an image at the bottom of the title page for the purpose of tracking unique visitors to the website and page views.

http://c41.statcounter.com/3791996/0/072333b4/0/

is the URL and I have it at the bottom of the page. The image that is created is only created for this use and so there should not be a copyright problem. Thank you, again, for your time. :D

--Trepe 01:02, 17 June 2008 (UTC)

Non-Profit Organizations and Compensory Donations Links
We are currently working with non-profit organizations in generating support for our community; (SuperWikia) and we have already established relations with a notable web services group at Amazon.com.

The issue: The many different tools and links available at Amazon.com (Amazon Associates, AWS, etc.) are not compatible with wikitext and other MediaWikia applications.

The solution: By adding a non-profit compensory donation list to the whitelist, you may;
 * 1) generate proceeds for the numerous Jimmy Wales donation drives
 * 2) create new retention and incentive programs for authors/contributors
 * 3) establish a stronger sysop/administrator base by pooling resources for voter benefits
 * 4) proliferate the educational component of the organization by endorsing non-profit events
 * 5) recieve government support and tax incentives for hosting tax exempt organizations
 * 6) enforce Wikia's policy on open source publishing by restricting/moderating commercial accounts

and many other areas which are still in development.

For more information on Amazon and their many programs for fund raising, contact myself at super.wikia.com or go direct to http://aws.amazon.com Thanks a bunch a good luck Mr. Wales! Habatchii 05:07, 28 December 2008 (UTC)

flickr?
Can we have flickr.com in this list? --Ans 11:06, 10 February 2009 (UTC)
 * I'm sorry, but no. Flickr has requested that hotlinking not be allowed. You can use Special:ImportFreeImages to find and translode free images directly from flickr to your wiki. --Uberfuzzy 13:26, 10 February 2009 (UTC)

share images bewteen english and chinese versions of the same wikia
hi there, I am the admin for gintama.wikia.com. I recently started the chinese version at zh.yinhun.wikia.com with the intention that the content, design, layout etc would be identical to the english version, save for the language in the content. However, I face some problems in sharing the images. Since the images that zh.yinhun is using are ported over from the english gintama, I am unable to get them to resize properly, even though they are using the exact same template as the english version (refer to main page of both sites). Is there a way for the chinese version to re-size the english-version images from the chinese site's end? I really don't see any point in re-uploading more than 500 images, they will all be identical. thanks Gin-san (Talk) 17:22, January 16, 2010 (UTC)


 * Image sharing can be enabled. Please send any requests for wiki configuration changes to staff using special:contact. Angela (talk) 00:56, January 19, 2010 (UTC)


 * thanks, message sent Gin-san (Talk) 12:56, January 19, 2010 (UTC)

About using commons.wikimedia.org images in lt.biologija.wikia.com
Hi, I'm administrator of lt.biologija.wikia.com. We will like using commons.wikimedia.org, *.wikipedia.org images in our wiki in as localy uploaded images (With same wiki syntax). May by this is possible? Thanks. Vpovilaitis 06:12, January 27, 2010 (UTC)


 * I've set this up. You can see an example on my user page. It's best to use special:contact for configuration requests as this page is not always checked regularly. Angela (talk) 06:11, January 28, 2010 (UTC)
 * Thanks. Vpovilaitis 06:24, January 28, 2010 (UTC)

Online Status
Hello, I wish to have a website added to allow users to show their online status on their userpage. The website is http://www.imstatuscheck.com/ and allows hotlinking. It works with many services such as IAM, ICQ, GTalk, MySpace and MSN. Manyman 06:27, April 5, 2010 (UTC)

Tinypics?
Could tinypic.com be added to the list for use on the El Goonish Shive Wiki: specifically, for the character test images? --Brovie talk 05:07, May 11, 2010 (UTC)
 * You can actually create a local whitelist for just that wiki, by creating this same page name at that wiki. --Uberfuzzy 05:58, May 11, 2010 (UTC)

About using commons.wikimedia.org images in lt.enciklopedija.wikia.com
Hi, I'm administrator of lt.enciklopedija.wikia.com. We will like using commons.wikimedia.org, *.wikipedia.org images in our wiki in as localy uploaded images (With same wiki syntax). May by this is possible? -- 13:41, January 12, 2012 (UTC)

Security
You guys really need to tighten up the regex here. Notice how this user was able to embed an image without it being on the intended whitelist, just by using some url that matches your generous regex. I'm sure glad that was just a tracking pixel, and not some sick, twisted child pornography!

I'm pretty sure this is a global message, but if not, at least someone from wikia will probably see this. moluɐɯ 21:41, December 8, 2015 (UTC)


 * That could, technically, be true about any regex on the whitelist. I have added an appending  to that particular one to prevent that mis-use in the future. Rappy 22:05, December 8, 2015 (UTC)


 * http://somedirtysite.com/image_of_children.png#bypassregex=http://alexa.com/o.png moluɐɯ 22:17, December 8, 2015 (UTC)


 * I could do without the tongue-in-cheekiness.
 * You can't just let this kind of shit slide by, because that's how people get into places they shouldn't be.
 * http://www.dailydot.com/technology/imgur-4chan-8chan-exploit/
 * Be snarky all you want on my RSW talk page, but the fact that you're not taking this insecurity more seriously is embarrassing. Reconsider your job title. moluɐɯ 22:25, December 8, 2015 (UTC)
 * Reminder: the login form is still at the top of every page. Gaz Talk 22:27, December 8, 2015 (UTC)


 * If the issue is such that you're concerned with JavaScript being injected through an exploit in the system, please do not state the issue as "this was just a tracking image and not child pornography". Also, if that is the case, it should be Special:Contact'd for investigation as such. The hack you linked was due to someone uploading an .html with JavaScript on it and then that upload being executed. This does not seem to be the same case here.
 * I will do testing to verify that the bypass, although not optimal, does not allow such vulnerabilities and if it does, will file a high priority ticket to deal with it. Rappy 22:45, December 8, 2015 (UTC)


 * All the child pornography I've seen included ddos injecting, password stealing, communist JavaScript. The hack I linked was imgur allowing such code to be uploaded and injected in images. Of course, we are lucky they patched that. But what if someone hosted the same malicious images on other sites, then used this exploit here?
 * Frankly, I'm scared to use Special:Contact because I know you're one of the people that answers that mail. And I'm not really in the mood to be made fun of more for legitimate concerns behind my back. That hurts my feelings, ya know? moluɐɯ 22:51, December 8, 2015 (UTC)


 * You weren't being made fun of, actually. My comment was not directed at you and was taken out of context. Special:Contact should be the first place an issue like this is sent as it's guaranteed to be seen. I only noticed this via my watchlist. Rappy 22:55, December 8, 2015 (UTC)


 * Irregardless you've hurt my feelings and I demand an apology. moluɐɯ 22:55, December 8, 2015 (UTC)


 * Sorry, I will not apologize for something that was said and relayed to you when it was not said to or about you.
 * I have investigated the issue and yes, while the regex can be bypassed, the result is a broken image URL as seen above. This will not allow the running of any code nor is it clickable to move the user off-site. As such, it is secure in the fact that it will only ever serve properly linked image types.
 * I am discussing ways to improve the current regex because, as mentioned, quite a bit here is easily bypassed. Rappy 23:23, December 8, 2015 (UTC)


 * They are broken images because I'm not too keen on finding some actual child pornography to post. And I'm not too sure my current (and legal might I stress) collection would get across my point. moluɐɯ 23:37, December 8, 2015 (UTC)

(tab reset) The result is only a broken image URL if the image itself doesn't exist.

Is an example of an external image that shouldn't be allowed through the filter, but displays fully. As I also mentioned in my email, this allows anyone to surreptitiously track all users that visit a wiki, getting their IP addresses, user agents, time and place of visit. 23:31, December 8, 2015 (UTC)


 * Broken image in the fact that they are attempting to showcase a non-image file. That is trumped later with the comment "it will only ever server properly linked image types". Yes, I understand your concerns and I'd ask that you not make them public here. This is also the reason we use Special:Contact. As such, I am removing the above that showcases the bypass. Rappy 23:42, December 8, 2015 (UTC)


 * One need not use JavaScript to cause problems with tags that you control. Using HTTP 301 or 302, you can redirect images to arbitrary websites without regard to cross-site restrictions. That's what I came up with in about ten minutes -- a more persistent attacker could almost certainly run arbitrary JavaScript from another location, or cause malicious edits to come from your account, or log you out of all of your accounts on Google, or do any number of bad things that are available by controlling URLs. This is really not much better from a security standpoint than running arbitrary JavaScript.
 * I know you'd prefer this not be public, but this is a huge issue that can't (to my knowledge) be countered without locking down external images in some way. And even then you'll have potential problems at the local level as well. You were dismissive of the impact when we first brought it up, but this is a very problematic exploit in the wrong hands (and we're not the first to find it). Security by obscurity isn't gonna fly here. 01:13, December 9, 2015 (UTC)


 * There's a difference in something being known to be possible and putting it somewhere in plain sight for it to be exploited by onlookers. If you wish to continue discussing this, please do so over Special:Contact as you have already started to. Rappy 01:34, December 9, 2015 (UTC)
 * Okay, just making sure you're taking it seriously given how cavalier you were about it earlier. I have more restrictive regular expressions if you want them. 02:58, December 9, 2015 (UTC)