Timwi wrote:
[someone else wrote:]
.. . . you get the picture. There is literally *no* *security* *reason* *at all* for MediaWiki to not send arbitrary GET requests. Period.
OK, here's one scenario. This feature could be used for denial-of-service attacks against other sites, by using Wikipedia's high-bandwidth server farm as a dowload bandwidth amplifier: an attacker could simply set many downloads going at once to one server, at the cost of trivial bandwidth overhead to set up each connection.
-- N
Okay then, go ahead and introduce the feature :-)
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l