Page MenuHomePhabricator

Special RandomInCategory should not ouput the edittoken to the URL
Closed, ResolvedPublicBUG REPORT


List of steps to reproduce (step by step, including full links if applicable):

  • Go to Special:Special:RandomInCategory
  • Enter a category
  • Click Go

What happens?:
A random page loads, the user URL is populated with:


What should have happened instead?:
The &wpEditToken=secretedittoken parameter should not be inserted here, this is secret data and shouldn't be loaded to things like browser histories

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:
This is NOT the randomincategory extension

Event Timeline

Probably caused by 6e4d6525e2475142f8b19603f7a5d09ca29f345d ( getValues() should be getQueryValues(), otherwise it also includes the POST data from the form.

The incorrect code was copied from SpecialRandomPage, where it works fine, because that page doesn't have a form on it.

Change 802898 had a related patch set uploaded (by Ammarpad; author: Ammarpad):

[mediawiki/core@master] SpecialRandomInCategory: Don't expose edittoken in URL

Change 802898 merged by jenkins-bot:

[mediawiki/core@master] SpecialRandomInCategory: Don't expose edittoken in URL

Umherirrender assigned this task to Ammarpad.