Page MenuHomePhabricator
Create Task
Maniphest T154276

Pattern field is broken
Closed, DuplicatePublic
Actions

Description

Apart from the usability issues, currently the pattern field is (justifiedly so) escaped to prevent SQL injection. However, the way it is does not allow any pattern characters in the pattern, only exact match, making the field pretty much useless.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Update callersmediawiki/extensions/Nukemaster+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Nikerabbit created this task.Dec 29 2016, 7:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 29 2016, 7:34 AM
Nemo_bis subscribed.Dec 29 2016, 7:42 AM

Verified on https://www.mediawiki.org/wiki/Special:Nuke

Steps to reproduce:

  1. Find a new page title in https://www.mediawiki.org/wiki/Special:NewPages (open a page, copy the title from the URL so that you have the underscores, for instance Wikimedia_Developer_Summit/2017/Room_Setup).
  2. Enter the title in the pattern field at https://www.mediawiki.org/wiki/Special:Nuke and submit.

I. Observed: The page is found and selected for deletion.

  1. Repeat (2) with a truncated title and % wildcard (e.g. Wikimedia%).

II. Observed: the form is reloaded with an error message "there are no new pages in recent changes" and the field gets emptied.

Nemo_bis triaged this task as High priority.Dec 29 2016, 7:42 AM
Ruthven mentioned this in T156112: Mass delete only works with default values on Special:Nuke.Jan 24 2017, 9:09 AM
Krinkle subscribed.Feb 6 2017, 9:45 PM

Caused by 6bb05450766e2df4ea568adf377cbbd237c09b91 (T153988; https://gerrit.wikimedia.org/r/328850) which changed the field name from pattern to nuke-pattern, but did not update the caller.

gerritbot subscribed.Feb 7 2017, 2:19 AM

Change 336357 had a related patch set uploaded (by Ladsgroup):
Update callers

https://gerrit.wikimedia.org/r/336357

gerritbot added a project: Patch-For-Review.Feb 7 2017, 2:19 AM
Ladsgroup claimed this task.Feb 7 2017, 2:20 AM
Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptFeb 7 2017, 2:20 AM
Ladsgroup added a comment.Feb 7 2017, 2:21 AM

Once this gets merged. I will backport it for SWAT.

Nikerabbit added a comment.Feb 7 2017, 10:43 AM

I think you got the wrong bug here. This was reported for the pre-OOUI conversion.

gerritbot added a comment.Feb 7 2017, 1:13 PM

Change 336357 merged by jenkins-bot:
Update callers

https://gerrit.wikimedia.org/r/336357

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-02-07_(1.29.0-wmf.11)).Feb 7 2017, 2:00 PM
Ladsgroup moved this task from Incoming to In progress on the User-Ladsgroup board.Feb 8 2017, 4:01 AM
Ladsgroup removed Ladsgroup as the assignee of this task.Feb 10 2017, 9:31 PM
Ladsgroup subscribed.

I don't have time to work on this. Specially, it's security-related and I'm too sloppy to handle such cases.

Ladsgroup removed projects: MW-1.29-release (WMF-deploy-2017-02-07_(1.29.0-wmf.11)), User-Ladsgroup, Patch-For-Review.Feb 10 2017, 9:33 PM
Nikerabbit closed this task as a duplicate of T123449: [betalabs] Special:Nuke - 'Pattern for the page name' filter does not work.Apr 21 2017, 5:45 AM
Johnywhy subscribed.Jun 21 2018, 6:42 PM
This comment was removed by Johnywhy.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits