If page [[A]] has a file link to [[File:foo]] and [[File:foo]] is a redirect to [[File:Bar]] Bar is not protected when [[A]] is cascade protected. Thus it opens a exploit to vandals to attack important pages if/when they end up using file redirects instead of direct links.
Version: 1.22.0
Severity: normal
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T10575 Cascading Page Protection (tracking) | |||
| Resolved | Bawolff | T25542 Cascade protection and file redirects |
A transclusion over redirect is also stored under the target template in the templatelinks table.
This is not happen for files, so there is no entry in the imagelinks table and the cascade protection cannot work.
Change 105830 had a related patch set uploaded by Anomie:
Make imagelinks work like templatelinks
Should be deployed to WMF wikis with 1.23wmf10, see https://www.mediawiki.org/wiki/MediaWiki_1.23/Roadmap for the schedule.
This will, of course, depend on those pages linking to the redirect having a LinksUpdate job run (e.g. they need to be edited, or purged with forcelinkupdate, or the file redirect could be purged with forcerecursivelinkupdate).
So https://www.mediawiki.org/wiki/Manual:Administrators#Protection and similar could be updated?