Last modified: 2014-10-01 19:10:11 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T25542, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 23542 - Cascade protection and file redirects
Cascade protection and file redirects
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Page protection (Other open bugs)
1.22.0
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Bawolff (Brian Wolff)
:
Depends on:
Blocks: 8575
  Show dependency treegraph
 
Reported: 2010-05-16 03:00 UTC by Betacommand
Modified: 2014-10-01 19:10 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Betacommand 2010-05-16 03:00:26 UTC 
If page [[A]] has a file link to [[File:foo]] and [[File:foo]] is a redirect to [[File:Bar]] Bar is not protected when [[A]] is cascade protected. Thus it opens a exploit to vandals to attack important pages if/when they end up using file redirects instead of direct links.
Comment 1 db [inactive,noenotif] 2011-01-23 19:27:09 UTC 
A transclusion over redirect is also stored under the target template in the templatelinks table.

This is not happen for files, so there is no entry in the imagelinks table and the cascade protection cannot work.
Comment 2 Betacommand 2013-06-13 17:13:42 UTC 
Poke, this is still a exploitable vulnerability that needs fixed.
Comment 3 Bawolff (Brian Wolff) 2013-06-13 23:35:19 UTC 
I'll look into this
Comment 4 Gerrit Notification Bot 2014-01-06 21:30:57 UTC 
Change 105830 had a related patch set uploaded by Anomie:
Make imagelinks work like templatelinks

https://gerrit.wikimedia.org/r/105830
Comment 5 Gerrit Notification Bot 2014-01-07 23:17:42 UTC 
Change 105830 merged by jenkins-bot:
Make imagelinks work like templatelinks

https://gerrit.wikimedia.org/r/105830
Comment 6 Brad Jorsch 2014-01-08 16:47:27 UTC 
Should be deployed to WMF wikis with 1.23wmf10, see https://www.mediawiki.org/wiki/MediaWiki_1.23/Roadmap for the schedule.

This will, of course, depend on those pages linking to the redirect having a LinksUpdate job run (e.g. they need to be edited, or purged with forcelinkupdate, or the file redirect could be purged with forcerecursivelinkupdate).
Comment 7 Bohdan 2014-10-01 19:10:11 UTC 
So https://www.mediawiki.org/wiki/Manual:Administrators#Protection and similar could be updated?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links