[HTTPS-E Rulesets] bug in the wikipedia rule
Greg Lindahl
greg at blekko.com
Sat May 4 20:35:49 PDT 2013
<rule from="^http://([^@:/]+\.)?wik(ipedia|inews|isource|ibooks|iquote|iversity|tionary|imedia|idata)\.org/" to="https://$1wik$2.org/"/>
Now consider this url
http://www.en.wikipedia.org/wiki/Guy_Gavriel_Kay
which is a redir to
http://en.wikipedia.org/wiki/Guy_Gavriel_Kay
The above rule matches www.en as $1, and generates
https://www.en.wikipedia.org/...
Firefox throws a security error for https://www.en.wikipedia.org and
tells me I'm not matching the cert. The cert is good for:
*.wikipedia.org , wikipedia.org , m.wikipedia.org ,
*.m.wikipedia.org , wikibooks.org , m.wikibooks.org , *.wikibooks.org ,
*.m.wikibooks.org , wikidata.org , m.wikidata.org , *.wikidata.org ,
*.m.wikidata.org , wikimedia.org , m.wikimedia.org , *.wikimedia.org ,
*.m.wikimedia.org , wikimediafoundation.org ,
m.wikimediafoundation.org , *.wikimediafoundation.org ,
*.m.wikimediafoundation.org , wikinews.org , m.wikinews.org ,
*.wikinews.org , *.m.wikinews.org , wikiquote.org , m.wikiquote.org ,
*.wikiquote.org , *.m.wikiquote.org , wikisource.org ,
m.wikisource.org , *.wikisource.org , *.m.wikisource.org ,
wikiversity.org , m.wikiversity.org , *.wikiversity.org ,
*.m.wikiversity.org , wikivoyage.org , m.wikivoyage.org ,
*.wikivoyage.org , *.m.wikivoyage.org , wiktionary.org ,
m.wiktionary.org , *.wiktionary.org , *.m.wiktionary.org ,
mediawiki.org , *.mediawiki.org , m.mediawiki.org , *.m.mediawiki.org
I've never known what * means in this context, but presumably Firefox
is correct that * doesn't allow periods. So *.wikipedia.org does
not match www.en.wikipedia.org.
I suspect that this won't be tripped on very often, but pity the user
who does! Given the cert, this rule ought to be correct:
<rule from="^http://([^@:/.]+\.)?wik(ipedia|inews|isource|ibooks|iquote|iversity|tionary|imedia|idata)\.org/" to="https://$1wik$2.org/"/>
<rule from="^http://([^@:/.]+\.m\.)?wik(ipedia|inews|isource|ibooks|iquote|iversity|tionary|imedia|idata)\.org/" to="https://$1wik$2.org/"/>
Basically, don't allow period in the set, and add m as a domain that's
allow to go deeper.
-- greg
More information about the HTTPS-Everywhere-Rules
mailing list