[Bug 21320] New: API: upload-by-url attempts remote fetch even when upload-by-url is disabled

Tue, 27 Oct 2009 19:48:48 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=21320

           Summary: API: upload-by-url attempts remote fetch even when
                    upload-by-url is disabled
           Product: MediaWiki
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: API
        AssignedTo: roan.katt...@gmail.com
        ReportedBy: matthew.brit...@btinternet.com
                CC: bryan.tongm...@gmail.com, vasi...@gmail.com,
                    soxre...@gmail.com


On en.wikipedia, I made an API query with the following parameters:

action = upload
format = xml
filename = Test.jpg
token = [some token]
url = http://www.example.com/something.jpg

The upload failed with the following result:

<?xml version="1.0"?><api><error code="&amp;lt;Error sending request: #28
connect() timed out!&amp;gt;" info="fetchfileerror" /></api>

I repeated this with a local test wiki and got this:

<?xml version="1.0"?><api><error code="An HTTP error occured: HTTP/1.1 404 Not
Found" info="fetchfileerror" /></api>

and with a packet sniffer I see that indeed a "GET /something.jpg" HTTP request
was sent to www.example.com.

I then repeated this with url set to an image that actually exists,
http://www.google.com/intl/en_ALL/images/logo.gif - now my test wiki gives

<?xml version="1.0"?><api><upload upload_session_key="260384685" /></api>

which I think (the documentation is pretty much non-existent) is supposed to
mean the upload succeeded, but in fact no file was uploaded.

Problem: Both my local wiki and en.wikipedia have $wgAllowCopyUploads set to
false, and in neither case did the account I attempted this from have the
upload_by_url right. 

MediaWiki shouldn't be going anywhere near the remote server unless the user
has permission to upload by URL -- otherwise anyone with normal upload access
can spam API queries with 'url' set to some huge file, and make the server eat
its own bandwidth.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to