EditToken now required for upload (was: MediaWiki security and maintenance release)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

EditToken now required for upload (was: MediaWiki security and maintenance release)

Note for authors of upload bots.
The just released MediaWiki 1.17.3 and 1.18.2, as well as Wikimedia
projects as of now, have changed to require the edit token for upload.

This had been done in 1.16, then backed out due to the disruption
produced to bots, and the fact that it wasn't possible to generate a
file upload with javascript. It is now possible to do with modern
browsers, so the check has gone in again.

If your bot is not providing an edit token on upload, it will start failing.

Relevant piece of the announcemente copied below:

-------- Original message --------
Subject: MediaWiki security and maintenance release
Date: Thu, 22 Mar 2012 19:37:32 -0000
From: Sam Reed <[hidden email]>
To: <[hidden email]>
CC: [hidden email], [hidden email]

Jan Schejbal of Hatforce.com discovered a cross-site request forgery
(CSRF) vulnerability in Special:Upload. Modern browsers (since at least
as early as December 2010) are able to post file uploads without user
interaction, violating previous security assumptions within MediaWiki.

Depending on the wiki's configuration, this vulnerability could lead to
further compromise, especially on private wikis where the set of allowed
file types is broader than on public wikis. Note that CSRF allows
compromise of a wiki from an external website even if the wiki is behind
a firewall.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

Wikibots-l mailing list
[hidden email]