Last modified: 2014-09-23 19:35:59 UTC
Created attachment 9303 [details] The patch to r101052 Now, wikilog just shows an error page on session failures when posting a comment. In some "browsers" (if MSIE is really a browser) user loses his comment text, because these "browsers" do not preserve it on clicking "Back". I think it should be solved by displaying comment preview instead of an error in the case of session failure. The patch is attached - it's pretty simple, but maybe I'm wrong somewhere again? :)
Hello Vitaliy, Your patch is already in my patch queue, but before submitting, I would like to understand better in which situations this bug trigger, since I can't reproduce it here. To get an edit token in the comment form to submit a comment, the user needs to have a session with MediaWiki. This session is either anonymous, or it is a user login session created at login time. This session either ends with the browser session, or after 30 days. In theory, the user shouldn't have a session failure under normal circumstances. If he got an edit token from the comment form, that edit token should be valid along with his session until he closes the browser. I want to be careful applying code that touches the session handling code due to the danger of creating a [[w:Cross-site scripting]] vulnerability. But at first glance your patch seems good. Could you provide some more detailed steps on how to reproduce this problem with the current version of MediaWiki?
Correcting myself: It is the [[w:Cross-site request forgery]] vulnerability, not XSS. I would like steps to reproduce with the current version of Wikilog, not MediaWiki.
Yes, I've tried to think about CSRF while patching... To reproduce, I think you just need to logout off the wiki leaving the comments page open :) I didn't reproduce this by myself, but it was done by several users in our company :) /we use wikilog for corporate blogs :)/ Probably they like to log in and out off the wiki? I agree it's strange, I'll try to ask them tomorrow and tell you :)
Vitaliy, have you had a chance to ask your users? Marking patch as need-review since it sounds like Juliano is still awaiting the information needed to properly review it. If I'm wrong, it would make sense to me to replace the "need-review" keyword with "reviewed".
I am guessing this bug was exacerbated by the 'edit token expiry' problem, which was improved in bug 64416.