Ahh makes sense. The docs are a little confusing. I forgot that you can do action=tokens without CSRF protection.
On May 16, 2012, at 7:46 PM, Roan Kattouw wrote: > On Wed, May 16, 2012 at 7:32 PM, Terry Chay <[email protected]> wrote: >> I thought http://www.mediawiki.org/wiki/Manual:Edit_token protects against >> this as it is required for an edit: http://www.mediawiki.org/wiki/API:Edit >> > Not if you can read the data using the Object/Array constructor hacks > you described. The potential for data leakage includes token leakage, > and once you get the API to leak a token you can create a hidden form > on the page that POSTs all the right data (including the token) to the > action=edit API and call .submit() on the form. > > Roan > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
