Ahh makes sense. The docs are a little confusing. I forgot that you can do action=tokens without CSRF protection.
On May 16, 2012, at 7:46 PM, Roan Kattouw wrote:
On Wed, May 16, 2012 at 7:32 PM, Terry Chay tchay@wikimedia.org wrote:
I thought http://www.mediawiki.org/wiki/Manual:Edit_token protects against this as it is required for an edit: http://www.mediawiki.org/wiki/API:Edit
Not if you can read the data using the Object/Array constructor hacks you described. The potential for data leakage includes token leakage, and once you get the API to leak a token you can create a hidden form on the page that POSTs all the right data (including the token) to the action=edit API and call .submit() on the form.
Roan
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l