Page MenuHomePhabricator
Create Task
Maniphest T27622

If a user does not have cookies enabled, they need to be told to have cookies enabled to use the credit card form
Open, MediumPublicFeature
Actions

Description

Users need cookies enabled for session handling on the credit card form to prevent CSRF. At the moment, depending on the particular form the user sees, they can either be entered into an infinite loop of the credit card form refreshing -or- they can still transparently go through the process, although it is a security vulnerability

Version: unspecified
Severity: enhancement

Details

Reference
bz25622

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:12 PM
bzimport added a project: MediaWiki-extensions-DonationInterface.
bzimport set Reference to bz25622.
Awjrichards created this task.Oct 23 2010, 1:56 PM
Aklapper added a comment.Apr 8 2013, 12:32 PM

What was the trick again (apart from deleting cookies) to get the donation banners displayed again? Adding some parameter to the URL, I assume? Or is that documented somewhere for testers?
Would love to check if this is still a problem nowadays.

bzimport added a comment.Apr 8 2013, 5:25 PM

mwalker wrote:

There's two 'tricks' if you will. One is adding &reset=1 (and possibly &banner= a banner name from CN if there's no banners currently being run). The other is to delete the 'centralnotice_fundraising' cookie if it exists (this sets the hide flag which will stop CN from even requesting a banner).

Awjrichards removed Awjrichards as the assignee of this task.Dec 3 2014, 5:44 PM
Awjrichards set Security to None.
Awjrichards removed a subscriber: Tfinc.
Awjrichards unsubscribed.
atgo moved this task from Backlog to Later on the MediaWiki-extensions-DonationInterface board.Jan 29 2015, 9:32 PM
awight added a project: good first task.Apr 14 2015, 9:18 PM
awight subscribed.
Aklapper removed a project: good first task.Dec 16 2016, 9:39 PM
Aklapper subscribed.

Didn't e35494d6934d973e2ab32dcf270af0234a5f906b fix this?
If not, where can a contributor see the "credit card form" to test this?

Removing good first task tag for the time being; feel free to re-add once more info has been provided for a contributor.

Meno25 unsubscribed.Jan 17 2017, 3:48 PM
awight unsubscribed.Mar 21 2019, 4:06 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 12:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL