https://bugzilla.wikimedia.org/show_bug.cgi?id=17238
Summary: GENDER-Parserfunction can be abused to fetch the gender
of a bunch of users
Product: MediaWiki
Version: unspecified
Platform: All
URL: http://de.wikipedia.org/w/api.php?action=expandtemplates
&text={{GENDER:-jha-
|w|m|?}}{{GENDER:1001|w|m|?}}{{GENDER:32X|w|m|?}}{{GENDE
R:AHZ|w|m|?}}{{GENDER:APPER|w|m|?}}{{GENDER:AT|w|m|?}}{{
GENDER:Achates|w|m|?}}{{GENDER:Achim
Raschka|w|m|?}}{{GENDER:Ahellwig|w|m|?}}{{GENDER:Aineias
|w|m|?}}
OS/Version: All
Status: NEW
Severity: normal
Priority: Normal
Component: Page rendering
AssignedTo: wikibugs-l@lists.wikimedia.org
ReportedBy: wikipe...@christophmueller.org
Currently the GENDER-parserfunction can be abused to crawel the gender:
This:
echo "http://de.wikipedia.org/w/api.php?action=expandtemplates&text=$(curl -s
"http://de.wikipedia.org/w/api.php?format=jsonfm&action=query&list=allusers&augroup=sysop";
|sed "s/"name": "/{{GENDER:/g"|sed "s/"/|w|m|?}}/g"|grep
\{\{GENDER\:.*\|w\|m\|\?\}\}| tr -d '\n\t')"
generates an URI for the api to read out the gender of some german admins.
I think it would be an easy fix to change the behavior of the template to
return only the gender of the current user instead of any other - this would
also allow to leave genderspecific notes on a user talk since the gender of the
text would be generated at the time of viewing but would close this
privacyhole.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
