Page MenuHomePhabricator
Create Task
Maniphest T30962

ajax calls with '.' not working in IE
Closed, ResolvedPublic
Actions

Description

Due to the security fix (bug 28534, bug 28639) all ajax calls with a '.' have problems in IE:

  • It is not possible to watch/unwatch a page with '.' (like skin.js/.css)
  • Search suggestion shows no pages, if you search for a page with '.'
  • the link insertion dialog (Extension WikiEditor) give no suggestion for links with a '.'

solution:

  • Encode the '.' in ajax requests (%2E)
  • allow at least one '&' behind the '.' That does not helps for all ajax calls, but some of them.

Thanks.

This is not bug 28840, because the bug tracks the problems with the ressource loader (stylesheets, scripts).

Version: 1.20.x
Severity: major

Details

Reference
bz28962

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 21 2014, 11:30 PM
bzimport added projects: Browser-Support-Internet-Explorer, MediaWiki-General.
bzimport set Reference to bz28962.
duplicatebug created this task.May 13 2011, 7:31 PM
MarkAHershberger added a comment.May 13 2011, 10:20 PM

Assigning this to Tim, making it 1.17 blocker, and adding to triage so I can make sure I am not insane.

Bawolff added a comment.May 14 2011, 3:19 AM

Perhaps someone with access to the logs could check to see how many 403 requests are returned due to the dot thing, just to see how widespread the problem is.

duplicatebug added a comment.May 20 2011, 8:46 PM

Increase severity after one week.

Krinkle added a comment.May 21 2011, 4:13 PM

I think this was fixed by r87711 which was a fix for bug 28840.

CC-ing Roan/Catrope to confirm.

Bawolff added a comment.May 21 2011, 5:50 PM

(In reply to comment #4)

I think this was fixed by r87711 which was a fix for bug 28840.

CC-ing Roan/Catrope to confirm.

No, it doesn't fix this.

I don't suppose there's some magic way to change how jQuery urlencodes ajax parameters to force dots to be urlencoded (per comment 0)? In my testing, that would fix much of these issues.

(btw, for reference the original security bug is bug 28235. I'm just writing that here because bugzilla search is a pain and I always have trouble finding it).

I'm also marking this depends on bug 28840, not sure if that's right, but the two issues are highly related.

Catrope added a comment.May 21 2011, 7:17 PM

I have written a patch that will provide an easy workaround for these requests and sent it to Tim (by private e-mail, because it's about a security issue) for review.

MarkAHershberger added a comment.May 26 2011, 6:54 PM
  • This bug has been marked as a duplicate of bug 28840 ***
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL