Last modified: 2014-10-14 18:04:32 UTC
Sherif reported that the mobile link seems to be appending POST fields when generating the url, so after submitting a username/password, the password is in the text of the resulting page. curl -i -s -k -X 'POST' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0' -H 'Referer: http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&returnto=Main+Page' -H 'Content-Type: application/x-www-form-urlencoded' \ -b 'GeoIP=GB::51.5000:-0.1300:v4; centralnotice_bucket=1-4.2; uls-previous-languages=%5B%22en%22%5D; mediaWiki.user.sessionId=YI03bpxPjata58Fp5ZwwvIEB1r9p3PZs; enwikiSession=414940d3638c0d8c1bc3899d56b23f1a' \ --data-binary $'wpName=%27%27&wpPassword=%27%27&wpLoginAttempt=Log+in&wpLoginToken=3037b08023402e508455f7340476341c' \ 'http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main+Page'
The example above will result in the following link on line 224 of the response: http://en.m.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&wpName=%27%27&wpPassword=%27%27&wpLoginAttempt=Log+in&wpLoginToken=3037b08023402e508455f7340476341c&action=submitlogin&type=login&returnto=Main+Page
Is any further action required on this? Is this Zero-related, or is it something for MobileFrontend? If it's MobileFrontend, could we get Max and Kaldari on this bug?
I'll defer to Chris as he knows the code base way better than I do as to where the issue resides
For some reason I thought this was zero, but yeah, it looks more like mobile frontend. Max, can you take a look at this?
Created attachment 16681 [details] Proposed fix Proposed fix. Will commit tests separately because they would require FauxRequest changes in core to test reasonably.
The proposed fix looks good to me.
LGTM, +2
Good catch. That's nasty.
