User "Hashar" posted a comment on MediaWiki.r104505. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/104505#c26668 Commit summary:
* (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would allow page titles to be enumerated even when they are not guessable. * (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis. Comment: Part of this patch was originally made by IAlex and reviewed/amended by Tim Starling and myself. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
