Page MenuHomePhabricator

CAPTCHA broken at English Wikipedia, when adding specific content in AFD (Articles for Deletion)
Closed, ResolvedPublic

Description

See the very informative original report: https://en.wikipedia.org/w/index.php?oldid=864094427#Unable_to_publish_a_very_specific_change_(an_AfD_page)_at_any_namespace_as_an_unregistered_contributor

Steps to reproduce:

  1. Log out or use non-autoconfirmed account at the English Wikipedia.
  2. Put this on a page (including an existing page):
{{Special:Prefixindex}}
https://example.com/
  1. Try to save the page.

Results:

This should trigger a CAPTCHA, but it doesn't. And since you can't enter the CAPTCHA, you can't save the page.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 15 2018, 5:31 PM
matmarex added a subscriber: matmarex.

Fascinating. So, a few things normally happen when a user tries to save the page (and gets rejected):

  1. Hooks are executed to check whether the page can be saved (including ConfirmEdit's CAPTCHA check)
  2. Page wikitext is parsed (this is done even when the save is rejected by #1, probably to display the list of transcluded templates below the editor)
  3. If the save was rejected, an appropriate error message is generated

The bug is that parsing the wikitext of a special page transclusion in step #2 "resets" a global WikiPage object, which ConfirmEdit uses to pass information about the fact that the CAPTCHA field should be shown from step #1 to #3. Therefore the save is rejected, but step #3 thinks it passed, so the CAPTCHA field is not shown.

This is one of these tasks that take hours to debug and are fixed with a two-line change…

Change 468195 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/extensions/ConfirmEdit@master] [DO NOT MERGE] Debugging code for T207065

https://gerrit.wikimedia.org/r/468195

Change 468195 abandoned by Bartosz Dziewoński:
[DO NOT MERGE] Debugging code for T207065

https://gerrit.wikimedia.org/r/468195

Change 468196 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@master] During special page transclusion, save and restore context's WikiPage too

https://gerrit.wikimedia.org/r/468196

Also, I don't think this is a new issue. It seems that the bug has existed for years. The bug reporter must be the first person ever to use special page transclusion (fairly rare and unknown feature) while triggering a CAPTCHA (which mostly happens to newbie users). :)

Change 468196 merged by jenkins-bot:
[mediawiki/core@master] During special page transclusion, save and restore context's WikiPage too

https://gerrit.wikimedia.org/r/468196

matmarex closed this task as Resolved.Oct 19 2018, 9:03 PM
matmarex removed a project: Patch-For-Review.