On 8/25/06, Warhog mediazilla@warhog.net wrote:
The problem could easily be solved. When we recommend the user to upload a text-file containing the information, we can also recommend which name that file should have. For example if user X wants to load a file from ftp://name:pw@example.org/~user/myfile.ogg mediawiki could automatically search for a file ftp://name:pw@example.org/~user/mediawiki_access_id.txt (or something like that). So the user cannot enter a specific GET-Target - thereby prohibiting the behaviour we fear.
Err, that would kill off every use of this feature for me. If I already had a file on a machine that I control, I would simply upload it like normal. The point (I thought) was to avoid having to transfer a file to a machine that you control before uploading it.
It seems that: * there are no real security issues with allowing arbitrary GETs to arbitrary sites (if throttled and restricted to some reasonable number of GETs per hour, like maybe 10-60). * since it could make it even easier to upload copyrighted content, it should be a privelege that can be revoked from people * it is fairly easy to implement
Therefore: Let's do it. (someone?) :)
Steve