Hi all,

a minor security bug [1] has been fixed in the OAuth extension: * a connected application could use the /identify endpoint to learn the username of a user even if the application has been disabled. * a connected application could use the /identify endpoint to learn the username of a user even if the user was locked or blocked from login (this could be problematic when OAuth is used for authentication, such as with the OAuthAuthentication [2] extension). The fix has been backported to all supported versions (those for MediaWiki 1.23, 1.26 and 1.27).

Gergő https://www.mediawiki.org/wiki/User:Tgr_(WMF)

[1] https://phabricator.wikimedia.org/T148600 [2] https://www.mediawiki.org/wiki/Extension:OAuthAuthentication _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce