Page MenuHomePhabricator
Create Task
Maniphest T62218

Flow: Can bypass any protection and blank pages
Closed, ResolvedPublic
Actions

Description

Examples: https://www.mediawiki.org/w/index.php?title=MediaWiki:I_hope_this_doesn%27t_work&action=history and https://www.mediawiki.org/w/index.php?title=User_talk:Legoktm/Foo&action=history

How to reproduce:

Go to [[mw:Special:ApiSandbox]]:

  • action=flow
  • page= page you want to blank
  • params={"topic_list": {"topic": "Topic!", "content": "Content!"}}
  • token=Flow token from API, +\ if you're logged out

Press Make request, and the page will be replaced with the string: "This talk page has been taken over by a [https://www.mediawiki.org/wiki/Special:MyLanguage/Flow_Portal Flow board]."

Quick fix: Stick a $title->userCan('edit', $this->getUser()) check in ApiFlow

Version: unspecified
Severity: blocker
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=66994

Details

Reference
bz60218

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 3:05 AM
bzimport added a project: StructuredDiscussions.
bzimport set Reference to bz60218.
bzimport added a subscriber: Unknown Object (MLST).
Legoktm created this task.Jan 19 2014, 1:44 AM
coren added a comment.Jan 19 2014, 1:46 AM

That one's a bad one!

coren added a comment.Jan 19 2014, 1:47 AM

Bumping to highest (this should probably even be immediate).

coren added a comment.Jan 19 2014, 1:50 AM

After brief chat with James_F, bumping to immediate/blocker

Legoktm added a comment.Jan 19 2014, 3:37 AM

Ic331595ddc1014657e9582b657b0351044ae327d

Legoktm added a comment.Jan 19 2014, 3:38 AM

Err, didn't mean to change the fields.

EBernhardson added a comment.Jan 19 2014, 4:11 AM

cherry-picked to 1.23wmf11 and deployed

Quiddity removed a subscriber: Maryana.Dec 19 2014, 1:33 AM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 5:57 PM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptJan 28 2016, 5:57 PM
Restricted Application added a subscriber: Luke081515. · View Herald Transcript
Ironholds set Security to None.Jan 29 2016, 2:50 PM
Ironholds unsubscribed.
chasemp added a project: Security.Feb 10 2020, 10:50 PM
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptFeb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits