>>
>
> Not entirely. Unlike message "copyright", the message used on thumb.php
> ("badtitletext") is not a "raw html" message. It is meant to be parsed and
> displayed regularly. And always was. Except it was re-used for thumb.php,
> and
> forgotten to be parsed there. I won't go into details, but it's exploitable
> under the right circumstances.
>
> -- KrinkleI don't disagree that its a bug, but in order to exploit user would have to: *Convince user to go rather obscure thumb.php page *already have the ability to add javascript to any page on wiki In which case, why wouldn't evil malicious user just insert javascript on the normal page everyone is looking at. That's both more effective, and probably less noticeable. Thus I don't see how it exposes any new security issues that aren't already present. Of course I may simply just be missing the nature of the "circumstances" that you reference in your comment. --bawolff p.s. Given there is now a fix released, I think its important to be able to have frank discussions about security issues. After all, the best way to prevent future security issues is to make sure everyone understands the past issues, so that people don't make the same mistake again. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
