Last modified: 2013-01-23 15:21:58 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T45004, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 43004 - Creating Claim with Snak using wikibase-item type needs validation
Creating Claim with Snak using wikibase-item type needs validation
Status: VERIFIED FIXED
Product: MediaWiki extensions
Classification: Unclassified
WikidataRepo (Other open bugs)
unspecified
All All
: Highest normal (vote)
: ---
Assigned To: Jeroen De Dauw
:
: 43609 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-12 12:35 UTC by Daniel A. R. Werner
Modified: 2013-01-23 15:21 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Daniel A. R. Werner 2012-12-12 12:35:22 UTC 
The wikibase-item type uses the 'string' data value. This allows for all strings while we only want to allow proper wb item IDs. The right thing to do would probably be to add a validator to the wikibase-item data type definition, checking whether the given string is a proper ID.

If this is not fixed, this allows confusing vandalism, people adding Snaks with weird IDs which make no sense to Statements. In the frontend we can prevent from this in other ways, the API would still be vulnerable and would require a solution to this bug.
Comment 1 Jeroen De Dauw 2012-12-12 21:34:45 UTC 
Taking this one.

> In the frontend we can prevent from this in other ways

You cannot prevent people from submitting incorrect data via frontend code ;)
Comment 2 Daniel A. R. Werner 2012-12-21 10:44:59 UTC 
Jeroen: trollololol? Perhaps I should have written in our UI. Even though we are not doing this and yes, you could still 'hack' it then.
Comment 3 Jeroen De Dauw 2013-01-08 22:20:04 UTC 
"It's not security you know ... [long silence] ... it's validating input... before it goes to the server" -- anonymous Daniel is anonymous
Comment 4 Jeroen De Dauw 2013-01-08 23:17:10 UTC 
Started to actually work on this.
Comment 5 Jeroen De Dauw 2013-01-08 23:53:33 UTC 
First commit, more will follow: https://gerrit.wikimedia.org/r/#/c/42885/
Comment 6 Jeroen De Dauw 2013-01-09 00:12:12 UTC 
Second commit, more will follow: https://gerrit.wikimedia.org/r/42893
Comment 7 Jeroen De Dauw 2013-01-09 21:05:53 UTC 
Also

https://gerrit.wikimedia.org/r/#/c/42974/

and

https://gerrit.wikimedia.org/r/#/c/42977/

More will still follow
Comment 8 denny vrandecic 2013-01-15 15:58:10 UTC 
*** Bug 43609 has been marked as a duplicate of this bug. ***
Comment 9 abraham.taherivand 2013-01-23 15:21:58 UTC 
Verified in Wikidata demo sprint 29
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links