Wikimedia blog

News from the Wikimedia Foundation and about the Wikimedia movement

«
»

Commonist, CommonsHelper fixed

Posted by on September 23, 2009

I’ve put in a fix for uploader tools and bots that have been broken since the last update — these bot tools didn’t expect the upload form to change, so they don’t pass in new required fields such as the edit token which was added to the form in the latest update.

Since the edit token isn’t actually required for web uploads (it’s a protection against a class of attacks which, as it happens, can’t forge file uploads) I’ve relaxed the check. I’ve confirmed that it fixes Commonist and have a report that CommonsHelper is also fixed.

Most other bots and tools that were affected are probably also fixed; please test them and let us know if anything’s still broken!

Categories: MediaWiki, Technology, Wikimedia Commons
Tags: ,

Watch responses to this entry (RSS feed); comments and pings are currently closed.

4 Responses to “Commonist, CommonsHelper fixed”

  1. Tgr says:
    2009/09/23 at 06:43

    You can do CSRF uploads, you just have to get the user to try uploading the file on some site owned by the attacker. Not even that if you find a suitable security hole in the browser, like these (probably fixed by now, but there will be others):

    http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/
    http://kuza55.blogspot.com/2008/02/csrf-ing-file-upload-fields.html

    Of course WMF sites are not particularly attractive targets as you can’t upload executables or config files or anything else an attacker could really take advantage of.

  2. liangent says:
    2009/10/02 at 08:12

    So providing an API for file uploading is better. :)