Last modified: 2009-10-28 03:39:09 UTC
On en.wikipedia, I made an API query with the following parameters: action = upload format = xml filename = Test.jpg token = [some token] url = http://www.example.com/something.jpg The upload failed with the following result: <?xml version="1.0"?><api><error code="&lt;Error sending request: #28 connect() timed out!&gt;" info="fetchfileerror" /></api> I repeated this with a local test wiki and got this: <?xml version="1.0"?><api><error code="An HTTP error occured: HTTP/1.1 404 Not Found" info="fetchfileerror" /></api> and with a packet sniffer I see that indeed a "GET /something.jpg" HTTP request was sent to www.example.com. I then repeated this with url set to an image that actually exists, http://www.google.com/intl/en_ALL/images/logo.gif - now my test wiki gives <?xml version="1.0"?><api><upload upload_session_key="260384685" /></api> which I think (the documentation is pretty much non-existent) is supposed to mean the upload succeeded, but in fact no file was uploaded. Problem: Both my local wiki and en.wikipedia have $wgAllowCopyUploads set to false, and in neither case did the account I attempted this from have the upload_by_url right. MediaWiki shouldn't be going anywhere near the remote server unless the user has permission to upload by URL -- otherwise anyone with normal upload access can spam API queries with 'url' set to some huge file, and make the server eat its own bandwidth.
added early check of permissions in r58242