Le 19 févr. 2012 à 00:16, Platonides a écrit : >>> In the patch provided, it would also happily show under some >>> circunstances the username associated to an email (not a problem for the >>> internal wiki of a company, where everybody know each other's mail, an >>> issue for public wikis out there). >> >> That is the reason why I was asking this mailing list. But, as I said in a >> previous and detailed answer to Bergi, >> the patch is very short (a single "if") and thus consequences are not >> tremendous. > > Go to Special:Contributions and enter the email of an existing user. > I think it may show the user contributions.
Thank you for your comments and advices. I am looking for such tests because preserving the secret of an e-mail is crucial for Wikipedia and any Wiki too. And here are the results of your test: (1) if you apply the proposed patch to a standard wiki, you can log in with your e-mail instead of your username. But being logged as if you logged with your username (thus forgetting any link to your e-mail) your contributions (on top right of any page) are listed according to your username; (2) If you go to Special:Contributions and enter the username of a registered user like "John Fox", you get her contributions (nothing new) under that username : for example on our test wiki currently in German only, here is the result: Von John Fox (Diskussion | Sperr-Logbuch | Hochgeladene Dateien | Logbücher | Benutzerrechteverwaltung) 14:48, 10. Sep. 2010 (Unterschied | Versionen) Vorlage:OtherLanguages (aktuell 14:09, 10. Sep. 2010 (Unterschied | Versionen) N MediaWiki:Sitesubtitle (Mehrsprachiges Demographisches Wörterbuch (zweite Ausgabe 1987)) (aktuell) (3) If you go to Special:Contributions and enter the e-mail of that registered user (thus "[email protected]"), you CAN'T FIND any username with that e-mail and no contribution: Von [email protected] (Diskussion | Sperr-Logbuch | Hochgeladene Dateien | Logbücher | Benutzerrechteverwaltung) Es wurden keine Benutzerbeiträge mit diesen Kriterien gefunden. In summary, and as I said because the proposed patch is very short with a single test, I am not sure to find a security hole. And at least your proposed (and thank you again for it) test failed. Do any extension modify User.php? I am not sure because it can't be named an extension. Having to slightly modify the "core" of User.php and not an extension using the property of the User class is a kind of warranty (hoping). Other tests and comments are welcome. > >> We made some tests on various wikis, and we haven't found yet any >> circumstance where the username associated to an email is displayed: >> - it can't happen when the authentication works; >> - the only situation that I have found is when you are asking for a new >> password: then the username associated with the email entered (in place of >> the username) is displayed in the received email, but it is not a security >> issue because you are the only person to read your email. > -- Nicolas Brouard _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
