Looking at the Wikimedia bug tracker, this bug/feature is just about to be fixed.

I think it's been almost 5 years since I first found this bug - I was specifically looking for a way to bypass the image whitelist, at the time.

All “dynamic” signature images etc. will break, until someone finds a new bug.

OH NO

It's fixed
What do we do now?

Boomer001 wrote:

It's fixed
What do we do now?

I would probably set up a node.js bot which would periodically upload the image to Scratch as a project tumbnail. SVGs would not work this way.

i would like to apologize since this is probably mostly my doing.

but the quick reporting from the scratch team(?) and the quick fixing from wikimedia was very good.


… now we need an alternative. abusing scratch thumbnails seems doable, but they couldn't be svg quality and it's been said that thumbnails are a primary reason scratch is so slow sometimes.

RIP wikimedia open redirect, you will be missed.

i mean perhaps we should i apologize to the scratch team for abusing the bug in the first place? i apologized to @codubee since it seems like he's the one who reported it.

Noo! I never even got to try! ;-;

Email disclosure time, I guess?

Thanks for the report. We're tracking this issue internally.

-Bryce
Scratch Team

On Tue, 21 Jul at 9:35 AM , Apple502j <email omitted> wrote:
I “heard” that by posting or setting a signature to a image to https://secure.wikimedia.org/wikipedia/scratch.mit.edu%5c/..%5csite-api/comments/user/kaj any people who visit it get logged out. The domain secure.wikimedia.org (or wikimedia.org) should be removed from forum allowlist to prevent image filter bypasses.

apple502j wrote:

Email disclosure time, I guess?

Thanks for the report. We're tracking this issue internally.

-Bryce
Scratch Team

On Tue, 21 Jul at 9:35 AM , Apple502j <email omitted> wrote:
I “heard” that by posting or setting a signature to a image to https://secure.wikimedia.org/wikipedia/scratch.mit.edu%5c/..%5csite-api/comments/user/kaj any people who visit it get logged out. The domain secure.wikimedia.org (or wikimedia.org) should be removed from forum allowlist to prevent image filter bypasses.

Are you the reason?!?!?

Jeffalo wrote:

i would like to apologize since this is probably mostly my doing.

but the quick reporting from the scratch team(?) and the quick fixing from wikimedia was very good.


… now we need an alternative. abusing scratch thumbnails seems doable, but they couldn't be svg quality and it's been said that thumbnails are a primary reason scratch is so slow sometimes.

RIP wikimedia open redirect, you will be missed.

No, I reported it almost 5 years ago lol.

apple502j wrote:

Email disclosure time, I guess?

Thanks for the report. We're tracking this issue internally.

-Bryce
Scratch Team

On Tue, 21 Jul at 9:35 AM , Apple502j <email omitted> wrote:
I “heard” that by posting or setting a signature to a image to https://secure.wikimedia.org/wikipedia/scratch.mit.edu%5c/..%5csite-api/comments/user/kaj any people who visit it get logged out. The domain secure.wikimedia.org (or wikimedia.org) should be removed from forum allowlist to prevent image filter bypasses.

I reported the same technique, but with the “Follow Discussion” link - which at the time was a GET request rather than a POST. So I used to bug to create a forum thread that would automatically make anyone who viewed it a follower.

Is this why my signature broke, I was wondering.

And I just started using this method.

novice27b wrote:

Jeffalo wrote:

i would like to apologize since this is probably mostly my doing.

but the quick reporting from the scratch team(?) and the quick fixing from wikimedia was very good.


… now we need an alternative. abusing scratch thumbnails seems doable, but they couldn't be svg quality and it's been said that thumbnails are a primary reason scratch is so slow sometimes.

RIP wikimedia open redirect, you will be missed.

No, I reported it almost 5 years ago lol.

nono i mean like i think i (re)reminding people of it, by mentioning it recently and using it for my isgnature thing which lead to more people knowing about it and then i guess st didn't like.

Every image I have ever hosted. Gone.
Along with the decline of Cubeupload, images on the forums are dying.

miaow55 wrote:

Every image I have ever hosted. Gone.
Along with the decline of Cubeupload, images on the forums are dying.

you hosted all images using the wikimedia redirect?

Jeffalo wrote:

miaow55 wrote:

Every image I have ever hosted. Gone.
Along with the decline of Cubeupload, images on the forums are dying.

you hosted all images using the wikimedia redirect?

Yes, on my old account, I had roughly 1500 posts in the requests forum, around 20% of which contained images hosted through the aforementioned method.

This issue was on wikimedia phabricator since november 2016, but was bumped only two days ago by a user with no other posts than to that issue. I will assume this is the responsibility for being fixed, however I am not convinced this was a bad thing as it was surely being used maliciously.

Yes, most people don't seem to realize that scratch is already hosting hundreds of millions of images, over 99% of which you've never seen (actual number!)

Naleksuh wrote:

This issue was on wikimedia phabricator since november 2016, but was bumped only two days ago by a user with no other posts than to that issue. I will assume this is the responsibility for being fixed, however I am not convinced this was a bad thing as it was surely being used maliciously.

Yes, most people don't seem to realize that scratch is already hosting hundreds of millions of images, over 99% of which you've never seen (actual number!)

that user was scratch team member codubee.

ps. im working on a method to safely upload images to scratch project thumbnails intergrated into the forums for maximum ease of use. i have a working tech demo but i'll release it somehow (i wish there was no extensiton policy) and hopefully it's helpful.

obviously it can't do things like “dynamic” images or svgs, but it gets the job done for working around cubeupload. also i think datonelefty made something like this already.

This is the bug report (for the ones who are curious). As you can see, they were talking about the Scratch website, and that you can go around the whitelist. The bug report was created in 2016 (as explained by @Naleksuh) and was bumped up 2 days ago (by a Scratch Team member, as explained by @Jeffalo).