Page MenuHomePhabricator

Substituting a null template allows an arbitrary number of newlines to be added to the end of a page
Open, LowestPublic

Description

I don't know if this is an issue worth fixing, but I thought it was peculiar enough behavior from the software that I should say something. My understanding is that if you try to save a newline to the end of a page, the software should discard the edit as a null edit. However, it appears you can save any number of newlines to the end of the page and have it be recorded in the revision history if you substitute a template that outputs nothing.

I was dealing with some severe template vandalism on Wikipedia recently and figured I should purge the pages that transcluded the template to be safe. Wikipedia:Purge#Null edit (permalink) contained advice saying that if you use AutoWikiBrowser to append {{subst:void}} to the page and submit, then "no changes will be made, but the page will be purged." On the English Wikipedia, you can see that Template:Void literally does nothing. Its documentation states: "This template does nothing—more precisely, it throws away its parameters and outputs the null string."

I tried the advice of Wikipedia:Purge on the Canadian Football League article (which transcluded the affected template), expecting a simple purge, but rather embarrassingly, an edit was actually recorded in the revision history of the article: see diff. When I tried the procedure again on Wikipedia:Sandbox, but set the "use X newlines" option to 0 newlines, no edit was recorded, which is the behavior that is expected regardless of how many newlines I add. I have since updated the text of Wikipedia:Purge to ensure that others don't add newlines.

I was a little mortified, so I tried to undo the edit to the football league article, but it wouldn't let me because the diff shows "no difference" (i.e. nothing to undo), similar to how page-moves are notated in the revision history. However, it did change the size of the page by +2 bytes (the number of newlines I added). I tried it manually (i.e. without AWB) on Wikipedia:Sandbox, and it also worked, so it's not just an AWB issue. When I tried to use the rollback feature on the edit, it gave me an erroneous message saying:

Cannot roll back edit to Wikipedia:Sandbox by Mz7 (talk · block · contribs) because someone else has edited the page.

No one else had edited the page at the time. I was clicking the rollback button on the most current revision. If you have rollback rights on the English Wikipedia, you can reproduce this yourself by trying to rollback or undo the most recent revision of User:Mz7/sandbox/1, where I last added 10 newlines to the article, then {{subst:void}}.

I suppose this trick might have a beneficial use by allowing someone to save a useful edit summary without affecting the page. On the other hand, it seems that it could also be disruptive: it also allows someone to add an arbitrary number of newline characters to the end of a page, thus inflating the size of a page, while the diff would still read "no difference", causing rollback and undo to fail. However, you can get the byte count to go back to normal by simply saving a new edit as usual.

Replication steps

  1. Create a template that outputs nothing – see Template:Void on the English Wikipedia for an example
  2. Navigate to any existing page on your wiki, then add an arbitrary number of newlines to the very end of that page
  3. On the last newline, substitute the void template from step 1 – e.g. {{subst:void}} on the English Wikipedia
  4. Submit the page
  5. Try to rollback the edit that was saved

Event Timeline

Mz7 created this task.Jan 10 2018, 8:31 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 10 2018, 8:31 AM
Aklapper triaged this task as Lowest priority.Jan 10 2018, 10:57 AM
238482n375 set Security to Software security bug.Jun 15 2018, 8:07 AM
238482n375 added a project: Security.
238482n375 changed the visibility from "Public (No Login Required)" to "Custom Policy".
238482n375 added a subscriber: 238482n375.

SG9tZVBoYWJyaWNhdG9yCk5vIG1lc3NhZ2VzLiBObyBub3RpZmljYXRpb25zLgoKICAgIFNlYXJjaAoKQ3JlYXRlIFRhc2sKTWFuaXBoZXN0ClQxOTcyODEKRml4IGZhaWxpbmcgd2VicmVxdWVzdCBob3VycyAodXBsb2FkIGFuZCB0ZXh0IDIwMTgtMDYtMTQtMTEpCk9wZW4sIE5lZWRzIFRyaWFnZVB1YmxpYwoKICAgIEVkaXQgVGFzawogICAgRWRpdCBSZWxhdGVkIFRhc2tzLi4uCiAgICBFZGl0IFJlbGF0ZWQgT2JqZWN0cy4uLgogICAgUHJvdGVjdCBhcyBzZWN1cml0eSBpc3N1ZQoKICAgIE11dGUgTm90aWZpY2F0aW9ucwogICAgQXdhcmQgVG9rZW4KICAgIEZsYWcgRm9yIExhdGVyCgpFVzZSC3IERpc2NsYWltZXIgtyBDQy1CWS1TQSC3IEdQTApZb3VyIGJyb3dzZXIgdGltZXpvbmUgc2V0dGluZyBkaWZmZXJzIGZyb20gdGhlIHRpbWV6b25lIHNldHRpbmcgaW4geW91ciBwcm9maWxlLCBjbGljayB0byByZWNvbmNpbGUu

Ladsgroup changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 15 2018, 11:51 AM
Ladsgroup removed a project: Security.
Ladsgroup removed a subscriber: 238482n375.
Restricted Application added a project: Security. · View Herald TranscriptJun 15 2018, 11:51 AM