Last modified: 2010-10-26 09:29:25 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T10796, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 8796 - Semi-protection should not cascade
Semi-protection should not cascade
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
unspecified
All All
: Normal major with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 8575
  Show dependency treegraph
 
Reported: 2007-01-27 20:15 UTC by Matthew Flaschen
Modified: 2010-10-26 09:29 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Matthew Flaschen 2007-01-27 20:15:06 UTC
David Levy said on
http://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28proposals%29#Salted_pages :
------------------------------------------------------------------------------------------------------
I'm surprised to learn that cascading semi-protection is possible, as this
enables anyone with a non-new account to semi-protect pages. That's a far worse
problem than the display of that message (which would require developer
intervention to change) and I don't believe that cascading semi-protection
should ever be applied for any reason. In my opinion, it should be formally
prohibited via the protection policy. —David Levy 18:34, 27 January 2007 (UTC)
------------------------------------------------------------------------------------------------------
In fact, the situation is far worse, since when semi-protection cascades it
becomes full (per Bug 8658).  Thus, users can full-protect arbitrary pages by
editing a semi-protected page with cascade enabled.

The only reasonable solution I see is to disable cascade completely for
semi-protected pages.
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-01-29 01:04:45 UTC
Workaround: don't cascade semi-protected pages until this is fixed.  It might be advisable to add 
this as a note to the system message for now.

I agree that there's not any mileage in allowing cascading semi-protects at all.  It's only a tool 
to prevent casual vandalism in the first place, so it's no big deal if someone can avoid it by going 
to a little trouble.
Comment 2 Matthew Flaschen 2007-01-29 02:34:59 UTC
Good idea.  Ixfd64 put such a warning, and I made it more forceful.
Comment 3 Matthew Flaschen 2007-01-29 03:07:51 UTC
How is this just an enhancement?  It seems like a privilege escalation
vulnerability to me.
Comment 4 Schuyler Thompson (xxpor) 2007-01-29 03:44:28 UTC
I changed to major, seems more like that to me.
Comment 5 Titoxd 2007-03-14 19:14:15 UTC
And this was reported on Wikizine:

http://en.wikizine.org/2007/03/year-2007-week-11-number-64.html

Great, so everyone knows about it now, and everyone can exploit it. Recommend
raising priority.
Comment 6 Brion Vibber 2007-03-14 19:36:31 UTC
(Note that this isn't really a privilege escalation, since you doesn't let you
_do_ new things; at worst it blocks anonymous editing to more pages than were
asked. It cannot, for instance, allow you to edit pages you weren't supposed to
be able to.)
Comment 7 Aaron Schulz 2007-03-14 19:44:23 UTC
Fixed in r20461. Cascade only applies if all the protection types are set to
groups that can "protect".
Comment 8 Rob Church 2007-03-15 17:03:20 UTC
(In reply to comment #5)
> And this was reported on Wikizine:

Some people have absolutely no sense of responsibility.
Comment 9 Walter Vermeir 2007-03-19 11:20:53 UTC
This is not a matter of irresponsibility but of informing the users. The possibility 
of abuse by this function was limited. For sysops to know how to solve problems the 
need to know how things work so you know for what to look to solve a problem.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links