On Wed, 16 May 2012 19:46:26 -0700, Roan Kattouw <[email protected]>
wrote:
On Wed, May 16, 2012 at 7:32 PM, Terry Chay <[email protected]> wrote:
I thought http://www.mediawiki.org/wiki/Manual:Edit_token protects
against this as it is required for an edit:
http://www.mediawiki.org/wiki/API:Edit
Not if you can read the data using the Object/Array constructor hacks
you described. The potential for data leakage includes token leakage,
and once you get the API to leak a token you can create a hidden form
on the page that POSTs all the right data (including the token) to the
action=edit API and call .submit() on the form.
Roan
Actually I don't think the object constructor or getter hacks work.
jQuery('<script />', {src:
"https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Main%20Page&format=json"}).appendTo('head');
api.php:1 Uncaught SyntaxError: Unexpected token :
We don't wrap the JSON in ()'s (it would be invalid JSON). And as a result
the {} is in a statement scope instead of an expression scope. As a result
the JavaScript engine tries to parse this as a block of code rather than
an object. Naturally since "asdf": is not valid code the JavaScript engine
quickly fatals considering this a SyntaxError before it can evaluate
anything.
It only works for array because [] doesn't have the ambiguity that {} has.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
