Page MenuHomePhabricator

mw.Api ajax() should put token parameter last
Closed, ResolvedPublic

Description

Author: russblau

Description:
patch to mediawiki.api.js to handle edit tokens

It is recommended at [[mw:API:Edit#Token]] that the "token" parameter in an edit request should be passed to the server last. This is a safety measure in case transmission of the HTML request to the server is interrupted; the server will not process an incomplete request because there will be no token. (Conversely, if the "text=" parameter were last, the server would have no way of knowing whether the complete text had been received.) Presumably the same thing is necessary for action=email, since the request may include text of arbitrary length.

The attached patch (not tested) moves any parameter named "token" to the end of the request; this is possibly over-inclusive (it will apply to things like "action=watch" where there is no text field in the request) but I can't see how it can do any harm.


Version: 1.19
Severity: minor

Attached:

Details

Reference
bz35727

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 12:12 AM
bzimport set Reference to bz35727.

sumanah wrote:

Thanks for the patch, Russell!

Just so you know, you can get developer access easily

https://www.mediawiki.org/wiki/Developer_access

and then submit the patch right into our Git source control system:

https://www.mediawiki.org/wiki/Git/Workflow

+1, patch looks good to me, and seems to work as advertised in a quick test.

sumanah wrote:

Brad, since Russell hasn't responded, want to put it in Gerrit on his behalf?

(In reply to comment #4)

+2 (not tested though)

Does that mean you committed it already?

(In reply to comment #3)

Brad, since Russell hasn't responded, want to put it in Gerrit on his behalf?

Sure, I can do that if Krinkle hasn't committed it already.

(In reply to comment #5)

(In reply to comment #4)

+2 (not tested though)

Does that mean you committed it already?

No, I did not.

(In reply to comment #3)

Brad, since Russell hasn't responded, want to put it in Gerrit on his behalf?

Sure, I can do that if Krinkle hasn't committed it already.

Please do :)