Last modified: 2014-09-23 19:35:59 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T34000, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 32000 - Display comment preview instead of an error on session failure


Summary:	Display comment preview instead of an error on session failure

Status:	NEW

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	Wikilog (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	Juliano F. Ravasi

URL:
Whiteboard:
Keywords:	patch, patch-need-review

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-10-27 21:31 UTC by Vitaliy Filippov
Modified:	2014-09-23 19:35 UTC (History)
CC List:	2 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
The patch to r101052 (3.58 KB, patch) 2011-10-27 21:31 UTC, Vitaliy Filippov	Details
Add an attachment (proposed patch, testcase, etc.)

Description Vitaliy Filippov 2011-10-27 21:31:26 UTC

Created attachment 9303 [details]
The patch to r101052

Now, wikilog just shows an error page on session failures when posting a comment.
In some "browsers" (if MSIE is really a browser) user loses his comment text, because these "browsers" do not preserve it on clicking "Back".
I think it should be solved by displaying comment preview instead of an error in the case of session failure.
The patch is attached - it's pretty simple, but maybe I'm wrong somewhere again? :)

Comment 1 Juliano F. Ravasi 2011-11-06 20:02:16 UTC

Hello Vitaliy,

Your patch is already in my patch queue, but before submitting, I would like to understand better in which situations this bug trigger, since I can't reproduce it here.

To get an edit token in the comment form to submit a comment, the user needs to have a session with MediaWiki. This session is either anonymous, or it is a user login session created at login time. This session either ends with the browser session, or after 30 days.

In theory, the user shouldn't have a session failure under normal circumstances. If he got an edit token from the comment form, that edit token should be valid along with his session until he closes the browser.

I want to be careful applying code that touches the session handling code due to the danger of creating a [[w:Cross-site scripting]] vulnerability. But at first glance your patch seems good.

Could you provide some more detailed steps on how to reproduce this problem with the current version of MediaWiki?

Comment 2 Juliano F. Ravasi 2011-11-06 20:23:01 UTC

Correcting myself:

It is the [[w:Cross-site request forgery]] vulnerability, not XSS.

I would like steps to reproduce with the current version of Wikilog, not MediaWiki.

Comment 3 Vitaliy Filippov 2011-11-06 21:05:15 UTC

Yes, I've tried to think about CSRF while patching... To reproduce, I think you just need to logout off the wiki leaving the comments page open :)
I didn't reproduce this by myself, but it was done by several users in our company :) /we use wikilog for corporate blogs :)/ Probably they like to log in and out off the wiki? I agree it's strange, I'll try to ask them tomorrow and tell you :)

Comment 4 Sumana Harihareswara 2011-12-23 18:55:58 UTC

Vitaliy, have you had a chance to ask your users?

Marking patch as need-review since it sounds like Juliano is still awaiting the information needed to properly review it.  If I'm wrong, it would make sense to me to replace the "need-review" keyword with "reviewed".

Comment 5 John Mark Vandenberg 2014-07-16 00:22:35 UTC

I am guessing this bug was exacerbated by the 'edit token expiry' problem, which was improved in bug 64416.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links