https://bugzilla.wikimedia.org/show_bug.cgi?id=60178
--- Comment #10 from MZMcBride <b...@mzmcbride.com> --- (In reply to comment 7) > 2) "A few people have noted that quite recently (within the past few weeks, I > suppose) Flow didn't support user blocks and other anti-abuse features." > > Flow is currently integrated with both AbuseFilter and spam blacklist and > fully supports registered and unregistered user blocks. There was a bug in > early January which caused IP blocks to not work, but we fixed it as soon as > we spotted it. Looking at bug 60218, it seems that it was possible within the past two days to use Flow as a major attack vector, including the capability to edit any page in the MediaWiki namespace of a wiki. This was an immediate security issue discovered only a couple of days ago. The fact that Flow was capable of bypassing MediaWiki's layered security seems to indicate larger fundamental architecture issues with how Flow is being implemented. MediaWiki already has a series of robust APIs that prevent, for example, edits going through without checking user permissions or spam blacklists or the AbuseFilter or page protection or global blocks or range blocks or .... Given that serious security issues continue to be discovered in Flow, it's very difficult for me to see how Flow could be ready for a huge, indisputably production wiki (enwiki). -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
