HomePhabricator

SECURITY: Make Special:MyPage and friends fake redirect to prevent info leak

Authored by csteipp.

Description

SECURITY: Make Special:MyPage and friends fake redirect to prevent info leak

This prevents a malicious person from using external resources on their
website to cause the victim's web browser to load
Special:MyPage -> User:Username, and then looking it up in the page hit
statistics in order to correlate IPs from the malicious person's server
log, with usernames on wiki.

This feature can be disabled with $wgHideIdentifiableRedirects.

Bug: T109724
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: Ia0e742dc92c77af4832174dfa24c6dcaa6ee80e9

Details

Committed
demonDec 18 2015, 12:31 AM
Parents
rMWea5ed444d86f: Fixed some doc errors in tryNormaliseRedirect()
Branches
Unknown
Tags
Unknown
References
refs/changes/09/259909/1
ChangeId
Ia0e742dc92c77af4832174dfa24c6dcaa6ee80e9