--- Comment #10 from MZMcBride <> ---
(In reply to comment 7)
> 2) "A few people have noted that quite recently (within the past few weeks, I
> suppose) Flow didn't support user blocks and other anti-abuse features."
> Flow is currently integrated with both AbuseFilter and spam blacklist and
> fully supports registered and unregistered user blocks. There was a bug in
> early January which caused IP blocks to not work, but we fixed it as soon as
> we spotted it.

Looking at bug 60218, it seems that it was possible within the past two days to
use Flow as a major attack vector, including the capability to edit any page in
the MediaWiki namespace of a wiki. This was an immediate security issue
discovered only a couple of days ago.

The fact that Flow was capable of bypassing MediaWiki's layered security seems
to indicate larger fundamental architecture issues with how Flow is being
implemented. MediaWiki already has a series of robust APIs that prevent, for
example, edits going through without checking user permissions or spam
blacklists or the AbuseFilter or page protection or global blocks or range
blocks or ....

Given that serious security issues continue to be discovered in Flow, it's very
difficult for me to see how Flow could be ready for a huge, indisputably
production wiki (enwiki).

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to