Naughty words in generated URLs

[dj-foxxy]

Just had a 1 in 14 million event occur[1]: Nextcloud generated a URL with a path that starts with a four letter word beginning with c. Now, I'm very progressive, but others might feel it's a slight. Is it worth having a map of naughty words to non-naughty strings?

Steps to reproduce

1. Generate a random share URL
2. Inspect for naughty sub-strings
3. Repeat 1 and 2 approx. 7 million times.

[1] (26 + 26 + 10)^4 = 14,776,336

[nickvergessen]

You had cunt in a public share link? Or where?

[dj-foxxy]

@nickvergessen Yep, public share link right there at the front. Noticed a few days after it was sent to a customer.

[nickvergessen]

That's a bit unfortunate, but I guess filtering everything out is hard. I just had JAVA inside my app token today.

The problem is, who decides whether a word is a naughty word, and which languages should we check? What happens with leed replacements? Because if they are still 13ad, I don't see a way to have a filter that's "small enough" to avoid problems.

Currently I'd personally just say "sorry, please regenerate on your own". ¯\_(ツ)_/¯

[dj-foxxy]

I agreed. Just thought it was worth pointing out.

[nickvergessen]

Btw the change calculation is wrong, it's actually: (26 + 26 + 10)^4 / 12

Because we have 15 chars, so there can be 12 beginnings for a 4 letter word.

[dj-foxxy]

So, (15 + 15 + 10) ^ 4 = 2,560,000

With odds like that might need to reopen the issue :).

[blizzz]

When looking around for other incidents in a more or less similar fashion and it's handling with it: also the German national football team did not change the names of their players:

Source