Bug#820649: python-moinmoin: allows deleting attachments via GET requests instead of POST

Sun, 10 Apr 2016 19:37:05 -0700 

Package: python-moinmoin
Version: 1.9.8-1
Severity: important
Control: affects -1 + wiki.debian.org

The Debian wiki recently had a bunch of attachments accidentally
deleted because someone used a downloader program and it spidered all
the links, including the delete links. Luckily we have good backups and
I was able to restore the files. For wikis where anonymous users can
edit, this would mean that search engines could automatically delete
all attachments. MoinMoin should use delete buttons instead of links
and require POST requests for attachment deleting to prevent this. 

-- System Information:
Debian Release: stretch/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (860, 
'testing-proposed-updates'), (850, 'buildd-testing-proposed-updates'), (800, 
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-moinmoin depends on:
ii  python                2.7.11-1
ii  python-parsedatetime  1.4-1
ii  python-passlib        1.6.5-4
ii  python-pygments       2.1+dfsg-1
ii  python-recaptcha      1.0.6-1
ii  python-werkzeug       0.10.4+dfsg1-1

Versions of packages python-moinmoin recommends:
ii  exim4-daemon-light [mail-transport-agent]  4.87~RC6-3
pn  fckeditor                                  <none>
pn  libapache2-mod-wsgi | httpd-cgi            <none>
ii  python-xapian                              1.2.22-2
pn  python-xappy                               <none>

Versions of packages python-moinmoin suggests:
ii  antiword                    0.37-11
pn  catdoc                      <none>
pn  cifs-utils                  <none>
ii  docbook-dsssl               1.79-9
ii  poppler-utils [xpdf-utils]  0.38.0-2
pn  python-4suite-xml           <none>
pn  python-docutils             <none>
pn  python-flup                 <none>
pn  python-gdchart              <none>
ii  python-ldap                 2.4.22-0.1
pn  python-mysqldb              <none>
pn  python-openid               <none>
pn  python-pyxmpp               <none>
ii  python-tz                   2015.7+dfsg-0.1
pn  python-xml                  <none>
ii  wamerican [wordlist]        7.1-1
ii  wbritish [wordlist]         7.1-1
ii  wspanish [wordlist]         1.0.27

-- no debconf information

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to