Change Details

Here's how my wiki is set up: New users can `upload` and `reupload-own`, but you need to be autoconfirmed to `reupload` files uploaded by other users. However, this can be totally bypassed by reverting a file. After the revert is done, the user with only `reupload-own` is able to reupload the file that they didn't originally upload. Pictured: File page for new user with only `upload` and `reupload-own` rights. {F35020678} Pictured: The same file page moments later after the user reverts to one of the earlier revisions. {F35020680} The user still doesn't have the `reupload` right, but they have bypassed the `reupload-own` restriction and can now upload a new version of the file. Here's the exploit in action: {F35020685} I'm guessing that the system is just checking for the user in the file upload history and recognizes the revert as an upload. It should probably check if they are the original uploader, or perhaps require the `reupload` right to perform reverts. This is on MediaWiki 1.35.5

Here's how my wiki is set up: New users can `upload` and `reupload-own`, but you need to be autoconfirmed to `reupload` files uploaded by other users. However, this can be totally bypassed by reverting a file. After the revert is done, the user with only `reupload-own` is able to reupload the file that they didn't originally upload. Pictured: File page for new user with only `upload` and `reupload-own` rights. {F35020678} Pictured: The same file page moments later after the new user reverts to one of the earlier revisions. {F35020680} The user still doesn't have the `reupload` right, but they have bypassed the `reupload-own` restriction and can now upload a new version of the file. Here's the exploit in action: {F35020685} I'm guessing that the system is just checking for the user in the file upload history and recognizes the revert as an upload. It should probably check if they are the original uploader, or perhaps require the `reupload` right to perform reverts on files they didn't upload. This is on MediaWiki 1.35.5

Here's how my wiki is set up: New users can `upload` and `reupload-own`, but you need to be autoconfirmed to `reupload` files uploaded by other users. However, this can be totally bypassed by reverting a file. After the revert is done, the user with only `reupload-own` is able to reupload the file that they didn't originally upload. Pictured: File page for new user with only `upload` and `reupload-own` rights. {F35020678} Pictured: The same file page moments later after the new user reverts to one of the earlier revisions. {F35020680} The user still doesn't have the `reupload` right, but they have bypassed the `reupload-own` restriction and can now upload a new version of the file. Here's the exploit in action: {F35020685} I'm guessing that the system is just checking for the user in the file upload history and recognizes the revert as an upload. It should probably check if they are the original uploader, or perhaps require the `reupload` right to perform reverts on files they didn't upload. This is on MediaWiki 1.35.5