Le 19 févr. 2012 à 00:16, Platonides a écrit :
>>> In the patch provided, it would also happily show under some
>>> circunstances the username associated to an email (not a problem for the
>>> internal wiki of a company, where everybody know each other's mail, an
>>> issue for public wikis out there).
>> 
>> That is the reason why I was asking this mailing list. But, as I said in a 
>> previous and detailed answer to Bergi, 
>> the patch is very short (a single "if") and thus consequences are not 
>> tremendous.
> 
> Go to Special:Contributions and enter the email of an existing user.
> I think it may show the user contributions.

Thank you for your comments and advices. I am looking for such tests because 
preserving the secret of an e-mail is crucial for Wikipedia and any Wiki too.

And here are the results of your test:
(1) if you apply the proposed patch to a standard wiki, you can log in with 
your e-mail instead of your username. But being logged as if you logged with 
your username (thus forgetting any link to your e-mail)  your contributions (on 
top right of any page) are listed according to your username;
(2) If you go to Special:Contributions and enter the username of a registered 
user like "John Fox", you get her contributions (nothing new) under that 
username : for example on our test wiki currently in German only, here is the 
result: 
  Von John Fox (Diskussion | Sperr-Logbuch | Hochgeladene Dateien | Logbücher | 
Benutzerrechteverwaltung)
  14:48, 10. Sep. 2010 (Unterschied | Versionen) Vorlage:OtherLanguages ‎ 
(aktuell
  14:09, 10. Sep. 2010 (Unterschied | Versionen) N MediaWiki:Sitesubtitle ‎ 
(Mehrsprachiges Demographisches Wörterbuch (zweite Ausgabe 1987)) (aktuell)
(3) If you go to Special:Contributions and enter the e-mail of that registered 
user (thus "[email protected]"), you CAN'T FIND any username with that e-mail and no 
contribution:
   Von [email protected] (Diskussion | Sperr-Logbuch | Hochgeladene Dateien | 
Logbücher | Benutzerrechteverwaltung)
   Es wurden keine Benutzerbeiträge mit diesen Kriterien gefunden.

In summary, and as I said because the proposed patch is very short with a 
single test, I am not sure to find a security hole. And at least your proposed 
(and thank you again for it) test failed.
Do any extension modify User.php? I am not sure because it can't be named an 
extension. Having to slightly modify the "core" of User.php and not an 
extension using the property of the User class is a kind of warranty (hoping).

Other tests and comments are welcome.

> 
>> We made some tests on various wikis, and we haven't found yet any 
>> circumstance where the username associated to an email is displayed:
>> - it can't happen when the authentication works;
>> - the only situation that I have found is when you are asking for a new 
>> password: then the username associated with the email entered (in place of 
>> the username) is displayed in the received email, but it is not a security 
>> issue because you are the only person to read your email. 
> 

-- 
Nicolas Brouard

_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to