Special:ImportTranslations allows to edit protected pages
Open, LowPublic
Actions

Assigned To

None

Authored By

	Nemo_bis
	Feb 8 2014, 10:29 AM

Description

On a wiki where you can export/import:

find on Special:ProtectedPages a message you can't edit, or ask someone to make one;
identify the group it belongs to and do a Special:Translate export in po format;
change something in the po file for that message;
upload the po translations in Special:ImportTranslations and confirm.

I. Expected: the change is discarded.
II. Observed: the edit goes through.
III. Note: both TUX and the old translation editor (e.g. https://meta.wikimedia.org/w/index.php?title=Special%3ATranslate&taction=proofread&group=Centralnotice-tgroup-B13_0701_txtpm_CntrlEnt_dr_enSG&language=qqq&limit=100&task=reviewall) let me open the message for translation but then correctly fail with «Errore durante il salvataggio della traduzione: The "editprotected" right is required to edit this page».

URL: https://meta.wikimedia.org/w/index.php?title=CNBanner:B13_0701_txtpm_CntrlEnt_dr_enSG-hide-cookie-max-count/qqq&action=history

Details

Reference: bz61087

Event Timeline

• bzimport raised the priority of this task from to Low.Nov 22 2014, 2:52 AM

• bzimport added a project: MediaWiki-extensions-Translate.

• bzimport set Reference to bz61087.

• bzimport added a subscriber: Unknown Object (MLST).

Nemo_bis created this task.Feb 8 2014, 10:29 AM

Protected pages and translatable pages are fundamentally incompatible. Unmark a page for translation if you want to be able to protect it. This feature request will not be honored.

Siebrand, you may need to read more carefully: not the page, but a message is protected. I was told to file this bug by Niklas.

(In reply to comment #2)

a message is protected.

Thank you for making the effort to file a bug, Federico.

I think this makes it even more clear page protection and translatable pages are incompatible. Niklas telling you to file a bug is not relevant for the bug state.

The example page is from central notice translations, not translatable page.

(In reply to comment #1)

Protected pages and translatable pages are fundamentally incompatible.

Shouldn't $title->userCan('edit') work on any type of page? This seems like a pretty large bug.

Can you "import" a translation to overwrite a page in the MediaWiki namespace?

(In reply to comment #5)

Can you "import" a translation to overwrite a page in the MediaWiki
namespace?

Needs testing on an appropriately configured wiki. On Meta (and most wikis) you can't make a MediaWiki page directly translatable and when a page doesn't belong to a message group any handcrafted po import will probably fail in way earlier stages.

Reopening. While I don't generally care about supporting protected pages with translation, it is not good to be able to bypass restrictions. There is is chance that in due time someone will use this together with some other vulnerability to do a nasty exploit.

Can/must be addressed by being stricter in or around allowProcess() in MessageWebImporter?

Nemo_bis added a project: Security-General.Aug 17 2015, 4:12 PM

Nemo_bis set Security to None.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2015, 4:12 PM

Nikerabbit moved this task from Backlog to Statistics on the MediaWiki-extensions-Translate board.Apr 20 2016, 12:06 PM

Nikerabbit updated the task description. (Show Details)

Nikerabbit removed a subscriber: • wikibugs-l-list.

• Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:16 AM

Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM

• chasemp added a project: Security.Feb 10 2020, 11:00 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM

DannyS712 subscribed.Mar 24 2020, 12:35 AM