Last modified: 2010-10-26 09:29:25 UTC
David Levy said on http://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28proposals%29#Salted_pages : ------------------------------------------------------------------------------------------------------ I'm surprised to learn that cascading semi-protection is possible, as this enables anyone with a non-new account to semi-protect pages. That's a far worse problem than the display of that message (which would require developer intervention to change) and I don't believe that cascading semi-protection should ever be applied for any reason. In my opinion, it should be formally prohibited via the protection policy. —David Levy 18:34, 27 January 2007 (UTC) ------------------------------------------------------------------------------------------------------ In fact, the situation is far worse, since when semi-protection cascades it becomes full (per Bug 8658). Thus, users can full-protect arbitrary pages by editing a semi-protected page with cascade enabled. The only reasonable solution I see is to disable cascade completely for semi-protected pages.
Workaround: don't cascade semi-protected pages until this is fixed. It might be advisable to add this as a note to the system message for now. I agree that there's not any mileage in allowing cascading semi-protects at all. It's only a tool to prevent casual vandalism in the first place, so it's no big deal if someone can avoid it by going to a little trouble.
Good idea. Ixfd64 put such a warning, and I made it more forceful.
How is this just an enhancement? It seems like a privilege escalation vulnerability to me.
I changed to major, seems more like that to me.
And this was reported on Wikizine: http://en.wikizine.org/2007/03/year-2007-week-11-number-64.html Great, so everyone knows about it now, and everyone can exploit it. Recommend raising priority.
(Note that this isn't really a privilege escalation, since you doesn't let you _do_ new things; at worst it blocks anonymous editing to more pages than were asked. It cannot, for instance, allow you to edit pages you weren't supposed to be able to.)
Fixed in r20461. Cascade only applies if all the protection types are set to groups that can "protect".
(In reply to comment #5) > And this was reported on Wikizine: Some people have absolutely no sense of responsibility.
This is not a matter of irresponsibility but of informing the users. The possibility of abuse by this function was limited. For sysops to know how to solve problems the need to know how things work so you know for what to look to solve a problem.
