Page MenuHomePhabricator

Hash character and trailing characters are ignored in username in users API
Closed, ResolvedPublic

Description

Usernames containing a hash (#) are cut off before the hash by the users API.

Test: https://www.mediawiki.org/wiki/Special:ApiSandbox#action=query&format=json&list=users&ususers=Rand%23om

As a result, typing such names in the username field on the signup page will not result in any immediate warning; the user will only see an error on submit.

Event Timeline

Tgr created this task.Apr 16 2016, 4:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 16 2016, 4:55 PM
Tgr added a comment.Apr 16 2016, 5:39 PM

The API uses Title::makeTitleSafe for parameter sanitization. Usernames starting with a valid namespace name or interwiki prefix result in a similar error. Account creation actually succeeds for such names, but the prefix gets stripped (that's T94656).

Change 283777 had a related patch set uploaded (by Gergő Tisza):
Reject usernames with # as user-type API parameters

https://gerrit.wikimedia.org/r/283777

Anomie moved this task from Unsorted to Needs Review on the MediaWiki-API board.Apr 18 2016, 2:22 PM

Change 283777 merged by jenkins-bot:
Reject usernames with # as user-type API parameters

https://gerrit.wikimedia.org/r/283777

Anomie closed this task as Resolved.Apr 18 2016, 3:23 PM
Anomie assigned this task to Tgr.
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 20 2016, 12:02 AM