Web browser: ---
            Bug ID: 59921
           Summary: Enabling Flickr upload shares Flickr API key with the
           Product: MediaWiki extensions
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: UploadWizard
    Classification: Unclassified
   Mobile Platform: ---

Right now if Flickr upload is set, the Flickr API key is just sent to the
browser every time UploadWizard is loaded. This key allows full read/write
access to the Flickr user who owns it and probably can be used to do nasty

It is probably possible to send an OAuth token instead [1], which would be
limited to whatever operations are actually needed by UploadWizard.

Alternatively, we could just proxy all requests through the server, which is
slower but also has privacy advantages.

(Or we could just decide that we do not care, which seems to be the status

The key is also available through the public configuration [2], so if this gets
fixed, that should be changed too.


You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to