https://bugzilla.wikimedia.org/show_bug.cgi?id=19161
--- Comment #5 from Splarka <[email protected]> 2009-06-11 22:31:46 UTC --- (In reply to comment #4) > From a purely philosophical position, database changes (such as account > creation) resulting from a HTTP GET seem to go against the spirit of RFC 1945, > where the POST method was specifically created for such purposes. Malicious remote websites could still force visitors to POST to Wikimedia. A simple <form> with someformelement.click() would do nicely. Also, bug 19006 can be a similar scenario perpetrated locally. Eg: http://www.mediawiki.org/wiki/Special:ExpandTemplates?input=%5Bhttp%3A%2F%2Fsome.dirty.website%2F%3Fuser%3D%7B%7Burlencode%3A%7B%7BREVISIONUSER%7D%7D%7D%7D+some+citation%5D -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
