https://bugzilla.wikimedia.org/show_bug.cgi?id=29135
--- Comment #16 from Happy-melon <happy.melon.w...@gmail.com> 2011-06-09 14:50:01 UTC --- (In reply to comment #13) > (In reply to comment #12) > > In ordinary vanilla MediaWiki, a non-sysop User X cannot be *prevented* from > > triggering password reset for User Y, because User X can simply log out and > > become Nobody. Therefore there is no point in restricting access to > > Special:PasswordReset from logged-in users. > > > Agreed, as I already said this in the introduction. Good. > > What you are describing is a special situation generated by the use of the > > OpenID extension. > > Yes and no. Go to standard wiki and to Special:PasswordReset and you can > trigger PasswordReset of Tim or Brion or Jimbo. This is unwanted. This is precisely contrary to what you just said. A logged-in user triggering an unwanted password reset is better than an anon triggering it because, as you say, there is better logging. > the only meaningful action is: X may only trigger PasswordReset for X . This is not meaningful in a standard MW install; if User X goes to trigger PasswordReset, then User X must have previously logged in as User X, so knows his password, so doesn't need to reset it. > This hole is what I want to close. You cannot "close" it because, as mentioned several times, anyone acting maliciously can simply log out to reopen it. In r86482 I introduced the option for wikis to require an email address for password resets, which 'closes' the vulnerability if wikis are concerned about it. 'Fixing' this for the sake of fixing it is definitely a WONTFIX, IMO. Adding hooks to allow extensions to modify the behaviour, on the other hand, is entirely reasonable. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
