Last modified: 2012-02-02 15:06:52 UTC
The ApiRevisionUpdate module in CodeReview does not have any CSRF protection. The code says: /** * Variation of CodeRevisionCommiter for use in the API. Removes the post and token checking from validPost * API can/will do the POST checking (and token?) */ No, it does not do token checking. ApiBase::needsToken() and ApiBase::getTokenSalt() must be overridden, which they aren't.
Adding developer to CC list.
Note that the client code from r95435 will need to be updated, adding Hashar to the CC list for that.
Appears to be reverted
r95435 was reverted, but the original code Tim mentioned the issue with is still there
r110573