Last modified: 2014-11-17 10:36:43 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T35388, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 33388 - Preferences should not use editToken
Preferences should not use editToken
Status: REOPENED
Product: MediaWiki
Classification: Unclassified
User preferences (Other open bugs)
1.18.x
All All
: Normal major with 1 vote (vote)
: Future release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-27 18:01 UTC by Umherirrender
Modified: 2014-11-17 10:36 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Umherirrender 2011-12-27 18:01:08 UTC
At the moment, you can change the preferences from each page with javascript:

$.post( '/wiki/Special:Preferences', { 'wpEditToken': mw.user.tokens.get('editToken'), 'wprcdays': 21 } );

Is this intended? Maybe it is better to use an own token for Preferences and not the edit token, to avoid this. Please close as WONTFIX, when all is right. Thanks.
Comment 1 Krinkle 2011-12-27 18:04:04 UTC
A little while ago when the idea for a writable preferences api came up, the subject was raised that we don't want JavaScript gadgets to be able to mess with preferences.

Looks like it already could. I'd assume this is not intended and should not be relied on.
Comment 2 Fomafix 2011-12-31 14:56:15 UTC
A separate token for preferences would be readable by

 $.get('/wiki/Special:Preferences')
Comment 3 Fomafix 2012-01-04 20:42:47 UTC
A possibility to prevent unwanted changes of the preferences is to force solving a [[CAPTCHA]] for every change.
Comment 4 Krinkle 2012-01-04 20:43:39 UTC
Hm..  yeah, at first I don't see another solution.
Comment 5 Fomafix 2012-01-04 20:57:26 UTC
A possibility prevent reading a special preferences token by an other page is to move the preferences page out of the [[same origin policy]].
Comment 6 Krinkle 2012-02-29 00:01:29 UTC
Yeah, the thing is though we probably still the ability (in the future) to configure certain things from a script. However that's what APIs are for.

One can send cross-domain requests from JS, just not read/receive them. So if we would move it out of the same-origin, machines can still make requests to it and the other end would then detect the missing token and ask for human confirmation in a visual way.

I like it, although it's hard to realize since most MediaWiki wikis only have 1 domain.
Comment 7 Krinkle 2012-02-29 00:02:31 UTC
Lowering priority and milestone. This is a valid issue but not something of great concern right now. Scripts can access it, yes. But only when executed from the wiki-domain, and on the wiki-domain only scripts that the user trusted are executed.
Comment 8 Fomafix 2012-05-05 08:25:18 UTC
Since Bug 18195 it is also possible to change the preferences via API.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links