Since fix of T25655 adding a page to the watchlist needs a token.
The api module setnotificationtimestamp also required a token.
MediaWiki should force a token at least for the reset="all" on the watchlist.
Version: 1.21.x
Severity: normal
Since fix of T25655 adding a page to the watchlist needs a token.
The api module setnotificationtimestamp also required a token.
MediaWiki should force a token at least for the reset="all" on the watchlist.
Version: 1.21.x
Severity: normal
The reset option does write actions on the database, so this should be protected against CSRF or so. You can submit a post against https://www.mediawiki.org/wiki/Special:Watchlist?reset=all and the show marker on the watclist of the logged in user gets cleared.