Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T16243, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 14243 - API allows editing with GET requests

Summary:	API allows editing with GET requests

Status: RESOLVED FIXED Product: MediaWiki Classification: Unclassified Component: API (Other open bugs) Version: unspecified Hardware: All All Importance: Normal critical (vote) Target Milestone: --- Assigned To: Roan Kattouw URL: Whiteboard: Keywords: Depends on: Blocks:   Show dependency tree / graph		Reported: 2008-05-23 22:01 UTC by Marco Modified: 2008-05-24 08:38 UTC (History) CC List: 5 users (show) ayg leon roan.kattouw vasilvv wikibugs-l See Also: Web browser: --- Mobile Platform: --- Assignee Huggle Beta Tester: ---

Attachments patch (393 bytes, patch) 2008-05-23 22:01 UTC, Marco Details Add an attachment (proposed patch, testcase, etc.)

Description Marco 2008-05-23 22:01:22 UTC Created attachment 4920 [details] patch The edit part of the API accepts also request via GET; you can trick anonymous users to spam the wiki via giving them a link like [http://test.wikipedia.org/w/api.php?%61%63%74%69%6F%6E=%65%64%69%74&%74%69%74%6C%65=%55%73%65%72%3A%53%70%6C%61%72%6B%61&%73%75%6D%6D%61%72%79=%56%41%4E%44%41%4C%49%53%4D%21%21%31&%74%65%78%74=%62%69%74%65+%6D%65&%62%61%73%65%74%69%6D%65%73%74%61%6D%70=%32%30%30%38%30%35%32%33%32%31%33%35%32%39&%74%6F%6B%65%6E=%2B\]. A patch to require POST for editing is attached. Comment 1 Leon Weber 2008-05-23 22:09:05 UTC Commited to SVN trunk, r35259 and r35260. Comment 2 Roan Kattouw 2008-05-24 08:38:26 UTC What the hell, I could've sworn I'd enabled mustBePosted there...