Page MenuHomePhabricator
Create Task
Maniphest T16243

API allows editing with GET requests
Closed, ResolvedPublic
Actions

Description

Author: marco

Description:
patch

The edit part of the API accepts also request via GET; you can trick anonymous users to spam the wiki via giving them a link like [http://test.wikipedia.org/w/api.php?%61%63%74%69%6F%6E=%65%64%69%74&%74%69%74%6C%65=%55%73%65%72%3A%53%70%6C%61%72%6B%61&%73%75%6D%6D%61%72%79=%56%41%4E%44%41%4C%49%53%4D%21%21%31&%74%65%78%74=%62%69%74%65+%6D%65&%62%61%73%65%74%69%6D%65%73%74%61%6D%70=%32%30%30%38%30%35%32%33%32%31%33%35%32%39&%74%6F%6B%65%6E=%2B\].

A patch to require POST for editing is attached.

Version: unspecified
Severity: critical

Attached:

patch_editapi_bug.patch393 BDownload

Details

Reference
bz14243

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:11 PM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz14243.
bzimport created this task.May 23 2008, 10:01 PM
bzimport added a comment.May 23 2008, 10:09 PM

leon wrote:

Commited to SVN trunk, r35259 and r35260.

Catrope added a comment.May 24 2008, 8:38 AM

What the hell, I could've sworn I'd enabled mustBePosted there...

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL