EditToken now required for upload (was: MediaWiki security and maintenance release)
Note for authors of upload bots.
The just released MediaWiki 1.17.3 and 1.18.2, as well as Wikimedia
projects as of now, have changed to require the edit token for upload.
This had been done in 1.16, then backed out due to the disruption
produced to bots, and the fact that it wasn't possible to generate a
browsers, so the check has gone in again.
If your bot is not providing an edit token on upload, it will start failing.
Jan Schejbal of Hatforce.com discovered a cross-site request forgery
(CSRF) vulnerability in Special:Upload. Modern browsers (since at least
as early as December 2010) are able to post file uploads without user
interaction, violating previous security assumptions within MediaWiki.
Depending on the wiki's configuration, this vulnerability could lead to
further compromise, especially on private wikis where the set of allowed
file types is broader than on public wikis. Note that CSRF allows
compromise of a wiki from an external website even if the wiki is behind