https://bugzilla.wikimedia.org/show_bug.cgi?id=30192
Saibo <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from Saibo <[email protected]> 2011-08-03 22:07:17 UTC --- A test case: http://de.wikipedia.org/wiki/Datei:Logo_African_Pygmy_Goat.png uploaded a new image ("test copyvio") over this file. after reverting the second (copyvio) version had the thumburl: http://upload.wikimedia.org/wikipedia/de/thumb/archive/5/51/20110803213020!Logo_African_Pygmy_Goat.png/120px-Logo_African_Pygmy_Goat.png I also accessed this thumb: http://upload.wikimedia.org/wikipedia/de/thumb/archive/5/51/20110803213020!Logo_African_Pygmy_Goat.png/126px-Logo_African_Pygmy_Goat.png ------ then I did revision delete (hide) the file contents of the second version: Both above mentioned thumb URLs still work. → Bug. Thumb URLs which were not accessed while the file version was visible do not work (example: http://upload.wikimedia.org/wikipedia/de/thumb/archive/5/51/20110803213020!Logo_African_Pygmy_Goat.png/131px-Logo_African_Pygmy_Goat.png ) Even if I delete the file completely (I did temporarily) the archive thumbs still keep working. →Bug. Only the current version's thumbs do not work. However, in order to assess the severity of this bug: An "attacker" needs to know how mediawiki's thumb URLs for archive versions are constructed (those parts: archive , 20110803213020!) since the thumb URL is not anymore on the file's page (also not in file page's source code). And he needs to know the timestamp (easy to find out in the log or file page's html source). And even if a nerd did construct the correct thumb URL he can only access the thumbs which were generated before deletion. Typically this is only the 120px version which is tinytinytiny. Conclusion: * Speaking of copyvios this bug is not important. * Speaking of hard privacy violations this bug is important - I do not know how to get rid of the old thumbs. Maybe a server admin would need to delete them manually if a important privacy violation would happen. However - this would only matter if the privacy violation is in a non-current file version. Well, this easily happens if a vandal overwrites a file (preferably a file which is in high use) with a picture of his ex-girlfriend (or whatever). If the file is reverted then it is the non-current version. * All in all (due to the privacy problem) I think this is a bad bug which really should be fixed. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
