On 30/04/06, Brion Vibber <brion(a)pobox.com> wrote:
robchurch(a)svn.leuksman.com wrote:
Revision: 13955
[snip]
- $wgUser = $u;
- $wgUser->setCookies();
[snip]
+ # Call hooks
wfRunHooks( 'AddNewAccount', array( $u ) );
Calling the hook here, now before $wgUser is set, caused a privacy leak for a
few minutes. IP addresses of people registering new accounts were broadcast on
Recent Changes and the IRC feeds until the change was reverted.
I've removed the offending entries from the recentchanges tables.
Well, "oh fuck" seems like a good first response. Closely followed by,
"I've fixed this again in r13971, holding back on calling hooks until
an appropriate time. Testing with Newuserlog (which I suspect is the
reason all hell broke loose) shows it now works as expected."
On a more serious note; clearly this is a more direct cockup than I've
made so far, so I'll apologise profusely for it. If someone could
double and triple check that commit before taking it live, I'd be
extremely grateful.
Rob Church