Note for authors of upload bots. The just released MediaWiki 1.17.3 and 1.18.2, as well as Wikimedia projects as of now, have changed to require the edit token for upload.

This had been done in 1.16, then backed out due to the disruption produced to bots, and the fact that it wasn't possible to generate a file upload with javascript. It is now possible to do with modern browsers, so the check has gone in again.

If your bot is not providing an edit token on upload, it will start failing.

Relevant piece of the announcemente copied below:

-------- Original message -------- Subject: MediaWiki security and maintenance release Date: Thu, 22 Mar 2012 19:37:32 -0000 From: Sam Reed reedy@wikimedia.org To: mediawiki-announce@lists.wikimedia.org CC: wikitech-l@lists.wikimedia.org, mediawiki-l@lists.wikimedia.org

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF) vulnerability in Special:Upload. Modern browsers (since at least as early as December 2010) are able to post file uploads without user interaction, violating previous security assumptions within MediaWiki.

Depending on the wiki's configuration, this vulnerability could lead to further compromise, especially on private wikis where the set of allowed file types is broader than on public wikis. Note that CSRF allows compromise of a wiki from an external website even if the wiki is behind a firewall.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317