Page MenuHomePhabricator

dispatchUser() in SpecialRedirect.php should use a 302 http status code instead of a 301 to avoid certain caching issues
Closed, ResolvedPublic

Description

Per the public conversation on the related patch: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/530433/2/includes/specials/SpecialRedirect.php#93

dispatchUser() in SpecialRedirect.php should use a 302 http status code instead of a 301 to avoid certain caching issues. This is a public task as 1) this issue was already publicly-discussed on gerrit 2) this is conceivably more code-hardening than a bona fide security issue.

Event Timeline

sbassett created this task.Aug 27 2019, 8:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 27 2019, 8:52 PM
sbassett triaged this task as Low priority.Aug 27 2019, 8:53 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.

Change 532795 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/core@master] dispatchUser() in should use a 302 http status code

https://gerrit.wikimedia.org/r/532795

Change 535659 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_33] dispatchUser() should use a 302 http status code

https://gerrit.wikimedia.org/r/535659

Change 535660 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_32] dispatchUser() should use a 302 http status code

https://gerrit.wikimedia.org/r/535660

Change 535659 merged by jenkins-bot:
[mediawiki/core@REL1_33] dispatchUser() should use a 302 http status code

https://gerrit.wikimedia.org/r/535659

Change 532795 merged by jenkins-bot:
[mediawiki/core@master] dispatchUser() should use a 302 http status code

https://gerrit.wikimedia.org/r/532795

Just REL1_31 to be dealt with. Will need supporting backports to work though

@Reedy Er, REL1_32 still appears un-merged as it needs the 301-checking in dispatch()?

Reedy added a comment.Sep 10 2019, 7:23 PM

@Reedy Er, REL1_32 still appears un-merged as it needs the 301-checking in dispatch()?

Distractions!

Yeah, REL1_32 needs a supporting backport too

@Reedy - lol, wasn't commanding, just noting :)

Reedy added a comment.Sep 10 2019, 7:25 PM

I was meaning I was distracted ;)

Change 538392 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_31] dispatchUser() should use a 302 http status code

https://gerrit.wikimedia.org/r/538392

Change 535660 merged by jenkins-bot:
[mediawiki/core@REL1_32] dispatchUser() should use a 302 http status code

https://gerrit.wikimedia.org/r/535660

Change 538392 merged by jenkins-bot:
[mediawiki/core@REL1_31] dispatchUser() should use a 302 http status code

https://gerrit.wikimedia.org/r/538392

sbassett closed this task as Resolved.Sep 23 2019, 9:34 PM
sbassett moved this task from In Progress to Done on the user-sbassett board.

@Reedy got the backports merged (thanks!) so this should be done for now.