Page MenuHomePhabricator

Special:ToggleUserPage should require a POST submit to perform changes
Closed, ResolvedPublic

Description

Visiting Special:ToggleUserPage switches your user page between wiki page and user profile.

Performing changes on GET request is very bad for performance and caching. But also you can cause havoc if you send a link to someone pointing to that URL which has been logged-in on the wiki, or embed a link to it as an image in a public forum or similar.

Event Timeline

Restricted Application added a project: Social-Tools. · View Herald TranscriptAug 20 2018, 11:15 AM
ashley moved this task from Backlog to SocialProfile on the Social-Tools board.Jan 13 2020, 11:55 PM

Change 573580 had a related patch set uploaded (by Jack Phoenix; owner: Jack Phoenix):
[mediawiki/extensions/SocialProfile@master] [SECURITY] Add token checks to prevent CSRF to various places which do write actions

https://gerrit.wikimedia.org/r/573580

Change 573580 merged by Legoktm:
[mediawiki/extensions/SocialProfile@master] [SECURITY] Add token checks to prevent CSRF to various places which do write actions

https://gerrit.wikimedia.org/r/573580

ashley closed this task as Resolved.Feb 20 2020, 3:14 PM
ashley claimed this task.