Request: Short Links to Forum Topics

This forum is used to discuss topics, propose ideas, and ask questions relating to supermariobrosx.org.
0lhi
Spiny
Spiny
Posts: 26
Joined: Fri Aug 13, 2021 5:54 am
Flair: ⚙️TheXTech QC

Request: Short Links to Forum Topics

Postby 0lhi » Fri Sep 10, 2021 9:12 am

I'd like to request a short link feature for Forum Topics. For example, by having a conversion like:

https://f.smbxgame.com/18006 -> https://www.smbxgame.com/forums/viewtopic.php?t=18006

This would allow to add links to images/videos of Episodes in a well-readable manner without taking away too much space.

Image

0lhi
Spiny
Spiny
Posts: 26
Joined: Fri Aug 13, 2021 5:54 am
Flair: ⚙️TheXTech QC

Re: Request: Short Links to Forum Topics

Postby 0lhi » Fri Sep 10, 2021 10:02 am

Apparently, this can be done easily with a .htaccess trick:

Code: Select all

```
#ShortLinks
RewriteCond %{QUERY_STRING} ^f/(\d*)$ [NC]
RewriteRule ^f/(\d*)$ /forums/viewtopic.php?t=$1 [R=301]
```
Thanks to @Wohlstand, who did this with for the Wohlsoft Forums:

https://wohlsoft.ru/f/t4088

ElectriKong
Posts: 4650
Joined: Mon Jun 06, 2016 4:32 pm
Flair: I have NO idea what to put here
Pronouns: he/him
Contact:

Re: Request: Short Links to Forum Topics

Postby ElectriKong » Fri Sep 10, 2021 10:32 am

Well you could just do this:

Code: Select all

[url=https://www.smbxgame.com/forums/viewtopic.php?t=18006]https://f.smbxgame.com/18006[/url]
Which results in: https://f.smbxgame.com/18006

0lhi
Spiny
Spiny
Posts: 26
Joined: Fri Aug 13, 2021 5:54 am
Flair: ⚙️TheXTech QC

Re: Request: Short Links to Forum Topics

Postby 0lhi » Fri Sep 10, 2021 11:18 am

Electriking wrote:
Fri Sep 10, 2021 10:32 am
Which results in: https://f.smbxgame.com/18006
If a site supports Link Syntax I'll just use the episode name. I'm requesting the feature for places that can't do that.

EDIT: Maybe I should add more context. The images above are from my Twitch Overlay. I would like to add links to the episodes I'm currently streaming, but SMBX Forum links are too long for that. Shortlinks would help to make episodes more easily accessible.

Yoshi021
Gold Yoshi Egg
Gold Yoshi Egg
Posts: 691
Joined: Thu Jan 21, 2016 9:06 pm
Flair: :)
Pronouns: He/Him

Re: Request: Short Links to Forum Topics

Postby Yoshi021 » Thu Sep 16, 2021 6:42 pm

This would be a pretty neat feature to have

0lhi
Spiny
Spiny
Posts: 26
Joined: Fri Aug 13, 2021 5:54 am
Flair: ⚙️TheXTech QC

Re: Request: Short Links to Forum Topics

Postby 0lhi » Thu Oct 14, 2021 10:21 am

Yoshi021 wrote:
Thu Sep 16, 2021 6:42 pm
This would be a pretty neat feature to have
It would! Soo, I'd like to bring attention to this again. Could the Administrators implement this?

Wohlstand
Van De Graf
Van De Graf
Posts: 2005
Joined: Tue Feb 11, 2014 4:44 pm
Flair: [ˈvoːlˌʃtant], 狐エンジニア
Pronouns: he/him
Contact:

Re: Request: Short Links to Forum Topics

Postby Wohlstand » Thu Oct 28, 2021 5:24 pm

0lhi wrote:
Fri Sep 10, 2021 10:02 am
Apparently, this can be done easily with a .htaccess trick:

Code: Select all

```
#ShortLinks
RewriteCond %{QUERY_STRING} ^f/(\d*)$ [NC]
RewriteRule ^f/(\d*)$ /forums/viewtopic.php?t=$1 [R=301]
```
Thanks to @Wohlstand, who did this with for the Wohlsoft Forums:

https://wohlsoft.ru/f/t4088
I had to fix it slightly, now it's next:

Code: Select all

#short links
RewriteCond %{REQUEST_URI} ^/f/t(\d*)$ [NC]
RewriteRule ^f/t(\d*)$ /forum/viewtopic.php?t=$1 [R=301]
The first variant was a bit glitchy and didn't work properly. It had failed after some time.

aero
Palom
Palom
Posts: 4781
Joined: Fri Mar 28, 2014 2:51 pm

Re: Request: Short Links to Forum Topics

Postby aero » Sat Oct 30, 2021 4:43 pm

Sounds like a good idea to me. I'll bring it up with the other admins and see when we could get this set up.

aero
Palom
Palom
Posts: 4781
Joined: Fri Mar 28, 2014 2:51 pm

Re: Request: Short Links to Forum Topics

Postby aero » Wed Feb 02, 2022 8:36 pm

Sorry for the long wait, but this probably will not actually be implemented. Or at least not in this way. I think it would be a good idea to shorten links; however, with this approach there is a security concern when it comes to phishing links.

For instance, when you use a regular link you get a "magic url" showing where you will be going to on the site:
viewtopic.php?f=99&t=27365

Now if we were to shorten it to like this:
https://f.smbxgame.com/12345

The 12345 could hypothetically lead to any page on that domain and not necessarily to a post. So if there were any sort of security compromise it would be easy to phish people with what looks like a regular page but is not actually running viewtopic.php as specified in the URL like right now. This is generally the issue with short URLs because you really have to trust who is sending the URL and the server.

As for your situation I would instead recommend something a bit more creative like a QR code. They can be made very small, and you can customize them quite a bit. For instance if you were sharing your project you could embed a project logo into the QR code itself and it would still work. Downside to this is the site style isn't good for mobile browsing compared to desktop which is something that is being worked on right now.

Wohlstand
Van De Graf
Van De Graf
Posts: 2005
Joined: Tue Feb 11, 2014 4:44 pm
Flair: [ˈvoːlˌʃtant], 狐エンジニア
Pronouns: he/him
Contact:

Re: Request: Short Links to Forum Topics

Postby Wohlstand » Wed Feb 02, 2022 8:43 pm

Aero wrote:
Wed Feb 02, 2022 8:36 pm
https://f.smbxgame.com/12345
Doesn't work for me yet, probably need to wait some hours until DNS caches get updated around the world...
Aero wrote:
Wed Feb 02, 2022 8:36 pm
As for your situation I would instead recommend something a bit more creative like a QR code. They can be made very small, and you can customize them quite a bit. For instance if you were sharing your project you could embed a project logo into the QR code itself and it would still work. Downside to this is the site style isn't good for mobile browsing compared to desktop which is something that is being worked on right now.
QR codes were useful, but if you need to put a thing that shouldn't use so much space, then QR code isn't a good way here, as it will steal a big square of the space on the poster.
Aero wrote:
Wed Feb 02, 2022 8:36 pm
So if there were any sort of security compromise it would be easy to phish people with what looks like a regular page but is not actually running viewtopic.php as specified in the URL like right now.
When speaking about DNS cache attacks, it's possible to phish absolutely any address (a lot of viruses had to install custom hosts and phish popular social networks, so, the domain is valid, but the actual IP address is just a mess). In the main case, the domain should be the same as the main domain, so, it's trusty. And having HTTPS would prevent such tricks, making it a way harder way to phish by domain name and having no valid certificate.

aero
Palom
Palom
Posts: 4781
Joined: Fri Mar 28, 2014 2:51 pm

Re: Request: Short Links to Forum Topics

Postby aero » Wed Feb 02, 2022 11:46 pm

Wohlstand wrote:
Wed Feb 02, 2022 8:43 pm
Doesn't work for me yet, probably need to wait some hours until DNS caches get updated around the world...
It won't work. It's not implemented.
Wohlstand wrote:
Wed Feb 02, 2022 8:43 pm
When speaking about DNS cache attacks, it's possible to phish absolutely any address (a lot of viruses had to install custom hosts and phish popular social networks, so, the domain is valid, but the actual IP address is just a mess). In the main case, the domain should be the same as the main domain, so, it's trusty. And having HTTPS would prevent such tricks, making it a way harder way to phish by domain name and having no valid certificate.
I wasn't really getting at DNS attacks. I'm simply saying that the shortened URL introduces ambiguity that can be more readily exploited for phishing. It's important for a link to be clear where it will go. /forums/viewtopic.php?f=99&t=27365 is clear where you're going on the domain as opposed to /27365 which can be literally anything. https://en.wikipedia.org/wiki/Phishing#Techniques

We have had phishing and XSS attacks before. Introducing ambiguity would only make it more of a problem.

Also it's worth mentioning that QR codes, while being far more ambiguous, nowadays come with context (such as an embedded logo) and if the scanning app is any good it will preview what you're scanning before opening it. It's possible for us to implement a preview for this URL shortening scheme, but it wouldn't really be much use as this site's URLs are relatively short as it is. The longest they get is when the temporary SID shows up in the URL bar on the first page you browse in a session but that goes away on the next page.

Wohlstand
Van De Graf
Van De Graf
Posts: 2005
Joined: Tue Feb 11, 2014 4:44 pm
Flair: [ˈvoːlˌʃtant], 狐エンジニア
Pronouns: he/him
Contact:

Re: Request: Short Links to Forum Topics

Postby Wohlstand » Wed Feb 02, 2022 11:51 pm

Anyway, it's not needed to set the subdomain for such things. And additionally, require integers-only at the custom query explicitly, so, nobody should be able to inject any random crap.

0lhi
Spiny
Spiny
Posts: 26
Joined: Fri Aug 13, 2021 5:54 am
Flair: ⚙️TheXTech QC

Re: Request: Short Links to Forum Topics

Postby 0lhi » Thu Feb 03, 2022 6:48 am

Aero wrote:
Wed Feb 02, 2022 11:46 pm
It's important for a link to be clear where it will go. /forums/viewtopic.php?f=99&t=27365 is clear where you're going on the domain as opposed to /27365 which can be literally anything.
Wouldn't https://smbxgame.com/f/18006 be clear enough, too?

When /f/{number} is just a synonym/redirect for /forums/viewtopic.php?t={number}, there's not much that can go wrong, right?

Especially if you make the integer requirement like Wohlstand says.
Aero wrote:As for your situation I would instead recommend something a bit more creative like a QR code.
Not comfortable using something I'm not familiar with. I want it to be accessible for non-Smartphone users, too. And unambiguous.

Wohlstand
Van De Graf
Van De Graf
Posts: 2005
Joined: Tue Feb 11, 2014 4:44 pm
Flair: [ˈvoːlˌʃtant], 狐エンジニア
Pronouns: he/him
Contact:

Re: Request: Short Links to Forum Topics

Postby Wohlstand » Thu Feb 03, 2022 8:04 am

At example I gave already, it requires an integer in query already by \d+ reg. Use RewriteCond to make sure it don't be executed when not necessary

Added in 11 minutes 5 seconds:
The suggestion, really, doesn't require any tricky backends, just two lines of .htaccess that redirects f/<integer> into the viewtopic page (note: you can freely ignore the forum id at url, it doesn't matter, topic id is all enough to open the necessary stuff)

aero
Palom
Palom
Posts: 4781
Joined: Fri Mar 28, 2014 2:51 pm

Re: Request: Short Links to Forum Topics

Postby aero » Fri Feb 04, 2022 4:07 am

0lhi wrote:
Thu Feb 03, 2022 6:48 am
Aero wrote:
Wed Feb 02, 2022 11:46 pm
It's important for a link to be clear where it will go. /forums/viewtopic.php?f=99&t=27365 is clear where you're going on the domain as opposed to /27365 which can be literally anything.
Wouldn't https://smbxgame.com/f/18006 be clear enough, too?

When /f/{number} is just a synonym/redirect for /forums/viewtopic.php?t={number}, there's not much that can go wrong, right?

Especially if you make the integer requirement like Wohlstand says.
Even though it's treated like a redirect, the security issue is inherent to the ambiguity of just an integer rather than the context of a page. A lot actually can go wrong if you don't know where a link will take you. In order for it to work the link has to come from a trusted source which is where the problems start and the redirect aspect introduces another attack vector for XSS.

I'd recommend reading the following:
https://safecomputing.umich.edu/be-awar ... l-security (applies mostly to generic shorteners, but is still relevant here)
https://www.virtuesecurity.com/kb/url-r ... d-defense/

Wohlstand
Van De Graf
Van De Graf
Posts: 2005
Joined: Tue Feb 11, 2014 4:44 pm
Flair: [ˈvoːlˌʃtant], 狐エンジニア
Pronouns: he/him
Contact:

Re: Request: Short Links to Forum Topics

Postby Wohlstand » Fri Feb 04, 2022 4:22 am

Here we don't speak about external URL shorteners and other side-servers, they are crap "a priori". Why does local redirect (at the same server which is already trusted, and intended to provide convenience for self, not for external crap) give such worrying?

Examples are given in the article itself (where is possible direct inclusion of URL to redirect), really give vulnerable solutions that really a source of abuse. Their problem is that they include strings that actually give major flexibility on attempting to XSS the shit. I do take the integer only, and all redirect has fixed and strict logic that simply converts "/f/t{integer}" into "/forum/viewtopic.php?t={integer}" without giving any chance to modify the query and inject a crap (even "?" arguments will break the matching rule and lead to failing, to give no chance for any injections).

By the way, see how my thing works:
Just for a sports interest, what really vulnerable here? Try to XSS my link and show how it sucks, I'm really interested to verify this and if it's really vulnerable, I'll change my mind.

EDIT: Code explained:

Code: Select all

# The condition that checks, full URL must match the "/f/t{integer}", 
# and it will fail if you try to add "?" arguments or something also, basically
# So, if the URL doesn't match even if a one letter difference, you'll just get a default 404 error
RewriteCond %{REQUEST_URI} ^/f/t(\d*)$ [NC]

# If the condition gets successfully matched, then it takes an integer value
# from the query, and forms the topic link where the taken integer
# gets used in the final redirect:
RewriteRule ^f/t(\d*)$ /forum/viewtopic.php?t=$1 [R=301]

aero
Palom
Palom
Posts: 4781
Joined: Fri Mar 28, 2014 2:51 pm

Re: Request: Short Links to Forum Topics

Postby aero » Fri Feb 04, 2022 2:55 pm

Wohlstand wrote:
Fri Feb 04, 2022 4:22 am
Just for a sports interest, what really vulnerable here? Try to XSS my link and show how it sucks, I'm really interested to verify this and if it's really vulnerable, I'll change my mind.
Well I would have to find that specific XSS vulnerability first. If I were to start phishing I would just set up another site with a script to take session information and any other sensitive data, download malware to poison the DNS, start pharming credentials. Like I could just register wohlsoft.tk and then make a page at /f/12345 that is just the malware script or a fake log in page (or anything else, which is the problem) for permission to view a thread, and to a regular user it would look normal unless they were paying attention to the URL throughout the redirect.

Step by step:
1. I give a user the link to the phishing site.
2. They go to wohlsoft.tk/f/12345 and stay on wohlsoft.tk/f/12345 to download malware or enter credentials
3. I now have the user's credentials, and may have poisoned their DNS to make connections to wohlsoft.ru go to wohlsoft.tk automatically or installed a keylogger

Now if I were to find an XSS vulnerability on your website I could just put that link directly onto a vulnerable page that will load wohlsoft.tk/f/12345 without me having to give the link directly. So in essence a user will have to trust your page isn't vulnerable, or have to trust me that the link I give is legit and neither of which are safe options. This *can* be done with any site, but the issue with shortened URLs that lack information about where a link will go and redirecting is that it makes it more easier for an attacker to take advantage of a user with phishing.

Wohlstand
Van De Graf
Van De Graf
Posts: 2005
Joined: Tue Feb 11, 2014 4:44 pm
Flair: [ˈvoːlˌʃtant], 狐エンジニア
Pronouns: he/him
Contact:

Re: Request: Short Links to Forum Topics

Postby Wohlstand » Fri Feb 04, 2022 3:03 pm

Technically, it's possible to phish even the full URL:

Code: Select all

https://supermarlobrosx.org/forums/viewtopic.php?p=390795
And:

Code: Select all

RewriteRule ^forums/viewtopic\.php\?(.*)$ /somecrap.php?ret=$1 [R=301]
Popular social networks was been phished very often, and they replicated social network pages very accurately, so, they had to steal login credentials and use them for spam purposes, etc.


Return to “Site Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest

SMWCentralTalkhausMario Fan Games GalaxyKafukaMarioWikiSMBXEquipoEstelari