Last modified: 2014-03-12 23:38:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T64049, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 62049 - Abuse filters can be fooled by using U+200B ZERO WIDTH SPACE (ccnorm doesn't remove/normalize them)
Abuse filters can be fooled by using U+200B ZERO WIDTH SPACE (ccnorm doesn't ...
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
AntiSpoof (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-28 12:17 UTC by Helder
Modified: 2014-03-12 23:38 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Helder 2014-02-28 12:17:51 UTC 
As you can check on
https://test.wikipedia.org/wiki/Special:AbuseFilter/tools
ccnorm("BAD")!==ccnorm("B​A​D")
where the first string has just 3 characters and the second one has a few invisible characters inside it.

Therefore, anyone can fool abuse filters which try to avoid ofenses, badwords, etc.. by just copying invisible characters in the text.
Comment 1 Marius Hoch 2014-02-28 12:20:27 UTC 
To fix this, we would either need to add these characters to AntiSpoof's maintenance/equivset.in (and make them normalize to and empty string) or, if that's not possible/ desired, we could also extend our own ccnorm function.
Comment 2 Chris Steipp 2014-02-28 23:48:56 UTC 
Seems like antispoof would be the right place for this.
Comment 3 Gerrit Notification Bot 2014-03-08 03:59:12 UTC 
Change 117640 had a related patch set uploaded by Hoo man:
Map U+200B (zero width space) to an empty string

https://gerrit.wikimedia.org/r/117640
Comment 4 Gerrit Notification Bot 2014-03-11 21:07:06 UTC 
Change 117640 merged by jenkins-bot:
Map U+200B (zero width space) to an empty string

https://gerrit.wikimedia.org/r/117640
Comment 5 Marius Hoch 2014-03-12 23:38:21 UTC 
Chris approved my patch
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links