Original title:
ApiUpload.php -- Async chunked upload fails when chunk is of file size but file is stashed
Here is what I send to the server:
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="format"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
json
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="action"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
upload
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="filename"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
' onmouseover='alert("There is a security vulnerable. Please contact the next admin if you see this in a message box.")' target='.png
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="stash"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="filesize"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
459
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="offset"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="async"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="ignorewarnings"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: attachment; name="chunk"; filename="' onmouseover='alert(-There is a security vulnerable. Please contact the next admin if you see this in a message box.-)' target='.png"
Content-Type: image/png
Content-Transfer-Encoding: binary
PNG
[...]
------------mediawiki.commons.MwJSBot0.5308303697218709
Content-Disposition: form-data; name="token"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
removed+\
------------mediawiki.commons.MwJSBot0.5308303697218709--
Which gives the following result:
{"servedby":"mw1121","error":{"code":"stashfailed","info":"Chunk assembly already in progress."}}
This is because of line 211 ff. in ApiUpload.php
which does
$this->dieUsage( "Chunk assembly already in progress.", 'stashfailed' );
At this time, the file is being added to the stash *but* the API user does not get a filekey back! Without that key, publishing the upload or querying the status is not possible.
I suggest either to refuse chunked uploads that only consist of one chunk or returning the result (Poll) from line 214 if the chunk is of the size of the whole file.
This way it will be possible to either publish the upload or it is clear that one-chunk-chunked uploads are not wanted.
Version: 1.22.0
Severity: normal