https://bugzilla.wikimedia.org/show_bug.cgi?id=53008
--- Comment #58 from Alex Monk <[email protected]> --- It sounds to me like this issue is inherent in the design of the autoblock system, so I doubt there's any simple solution. Rich Farmbrough: * Why have you made a meta.wikimedia.org page to advocate a MediaWiki change?! * I noticed you made a comment there about translatewiki editors and admins. There are many places translatewiki editors can currently cause security issues, e.g. via bug 43646 but also presumably via many other messages. * Admins can do that and even worse - e.g. they are (somewhat stupidly) allowed to set JavaScript code run by other users. They could simply add all kinds of tracking code (which has happened) or otherwise malicious code (as a scary example, since highly privileged users typically run admin-set JS anyway, the suppression system and restrictions around CU/userrights might as well not exist) if they wanted. This is a very widely known and very obvious issue. * You realise that simply removing parameters from the message (your proposed code for which has a pattern of syntax errors, and even removes the name of the message to be used, which is required for the code to function) doesn't change the fact that knowing a block ID allows you to look up the rest of the information (obviously your own IP is available to the blocked users - i.e. the intended blockee and everyone else on the same IP - anyway)? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
