On 8/25/06, Warhog <mediazilla(a)warhog.net> wrote:
The problem could easily be solved. When we recommend
the user to upload a
text-file containing the information, we can also recommend which name that
file should have. For example if user X wants to load a file from
ftp://name:pw@example.org/~user/myfile.ogg mediawiki could automatically
search for a file ftp://name:pw@example.org/~user/mediawiki_access_id.txt (or
something like that). So the user cannot enter a specific GET-Target -
thereby prohibiting the behaviour we fear.
Err, that would kill off every use of this feature for me. If I
already had a file on a machine that I control, I would simply upload
it like normal. The point (I thought) was to avoid having to transfer
a file to a machine that you control before uploading it.
It seems that:
* there are no real security issues with allowing arbitrary GETs to
arbitrary sites (if throttled and restricted to some reasonable number
of GETs per hour, like maybe 10-60).
* since it could make it even easier to upload copyrighted content, it
should be a privelege that can be revoked from people
* it is fairly easy to implement
Therefore: Let's do it. (someone?) :)
Steve