https://bugzilla.wikimedia.org/show_bug.cgi?id=20292
Brion Vibber <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from Brion Vibber <[email protected]> 2009-08-19 06:15:20 UTC --- http://www.organicdesign.co.nz/Extension:FormMailer.php $wgExtensionFunctions[] = 'wfSetupFormMailer'; This appears to be the actual form processing function, with several *huge* problems: * there's no check that the form was POSTed, so you can be spammed by an <img> * there's no particular location to which the form needs to be posted * there's no protection against cross-site requests, much less form submissions This needs to be redone using a clear entry point such as a Special page, with a check for POSTing. Preferably include an edittoken check to protect against cross-site form submissions. $_SERVER['REMOTE_ADDR'] This will always show one of our proxies. Needs to use wfGetIP() foreach ($wgRequest->getValues() as $k => $v) if (!in_array($k, $wgFormMailerDontSend)) { Looks it really should just stick to things with the form prefix and not touch anything else... all sorts of misc vars might turn up in your form that don't belong in there. $wgSiteNotice .= "<div class='usermessage'>".($err ? $err : $message)."</div>"; This is utterly broken. :) The sitenotice is definitely the wrong place to put success/error output. More generally, it lacks any way to specify multiple different forms, as well as not using the localization framework for its UI messages. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
