[Toolserver-l] Breaking change to the MediaWiki API login action

Ilmari Karonen nospam at vyznev.net
Wed Apr 7 06:41:14 UTC 2010

Tim Starling just annouced a fix to a recently noticed security flaw in 
MediaWiki on wikitech-l.  This fix involves a non-backwards-compatible 
change to the MediaWiki API login action.

Details here: https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

While this does not _directly_ affect the toolserver, a large number of 
bots running here will be affected.  As the fix is already live on 
Wikimedia sites, any bot that has not been updated will be unable to log 
in using the API.  (Some old bots logging in via Special:Userlogin may 
also be affected, depending on how they construct the login request.)

The necessary fix is not particularly complex.  I only had to add one 
extra line of Perl code to my own bot to make it work again:


I expect that most commonly used bot frameworks will soon be updated to 
be compatible with the new login syntax.  In the mean time, operators of 
long-running bots may wish to avoid logging them out until they've been 
fixed so that they can log back in.

Ilmari Karonen

More information about the Toolserver-l mailing list