Page MenuHomePhabricator

Cascade protection and file redirects
Closed, ResolvedPublic


If page [[A]] has a file link to [[File:foo]] and [[File:foo]] is a redirect to [[File:Bar]] Bar is not protected when [[A]] is cascade protected. Thus it opens a exploit to vandals to attack important pages if/when they end up using file redirects instead of direct links.

Version: 1.22.0
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:03 PM
bzimport set Reference to bz23542.

A transclusion over redirect is also stored under the target template in the templatelinks table.

This is not happen for files, so there is no entry in the imagelinks table and the cascade protection cannot work.

Poke, this is still a exploitable vulnerability that needs fixed.

Change 105830 had a related patch set uploaded by Anomie:
Make imagelinks work like templatelinks

Change 105830 merged by jenkins-bot:
Make imagelinks work like templatelinks

Should be deployed to WMF wikis with 1.23wmf10, see for the schedule.

This will, of course, depend on those pages linking to the redirect having a LinksUpdate job run (e.g. they need to be edited, or purged with forcelinkupdate, or the file redirect could be purged with forcerecursivelinkupdate).