Page MenuHomePhabricator

WatchAction breaks when $wgUseAjax = false;
Closed, ResolvedPublic


When $wgUseAjax is false, the watch link on a page computes a token using WatchAction:getWatchToken(). The $salt used to create the token uses $title->getPrefixedDBkey();

When you follow the link, WatchAction:show() calls $user->matchEditToken() to validate the token passed, but show() uses $this->getTitle()->getDBkey() for its $salt.

getPrefixedDBKey() and getDBKey() are not the same, so the token fails to validate, and you can't watch or unwatch pages.

Event Timeline

Firebus created this task.Jul 24 2015, 11:02 PM
Firebus raised the priority of this task from to Needs Triage.
Firebus updated the task description. (Show Details)
Firebus added a project: MediaWiki-Watchlist.
Firebus added a subscriber: Firebus.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 24 2015, 11:02 PM

Here's a patch with the fix I'm using in MW 1.24, I think it should still apply cleanly to HEAD

Thanks for taking a look at the code!

You are very welcome to use developer access to submit this as a Git branch directly into Gerrit.

Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks again!

Aklapper triaged this task as Medium priority.Jul 25 2015, 1:00 PM

Oh, sweet, I didn't know I could set up my own branches as just a random guy off the street :) I'll get this into Gerrit tonight or tomorrow.

Tomorrow finally came! Here's the commit in Gerrit: (though I suspect it will eventually appear here on it's own?)

(though I suspect it will eventually appear here on it's own?)

Only when following :)

D'oh :( That did not jump out at me on, though it is linked out, sorry!

Change 228774 had a related patch set uploaded (by Nemo bis):
Match salt of WatchAction::show() and getWatchToken()

Change 228774 merged by jenkins-bot:
Match salt of WatchAction::show() and getWatchToken()

Legoktm closed this task as Resolved.Aug 9 2015, 3:31 AM
Legoktm assigned this task to Firebus.
Legoktm set Security to None.