Page MenuHomePhabricator
Create Task
Maniphest T309907

Special RandomInCategory should not ouput the edittoken to the URL
Closed, ResolvedPublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

  • Go to Special:Special:RandomInCategory
  • Enter a category
  • Click Go

What happens?:
A random page loads, the user URL is populated with:

project/w/index.php?title=RandomArticle&wpcategory=TheCategoryInput&wpEditToken=secretedittoken&redirectparams=

What should have happened instead?:
The &wpEditToken=secretedittoken parameter should not be inserted here, this is secret data and shouldn't be loaded to things like browser histories

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:
This is NOT the randomincategory extension

Details

SubjectRepoBranchLines +/-
SpecialRandomInCategory: Don't expose edittoken in URLmediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Xaosflux created this task.Jun 4 2022, 12:24 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 4 2022, 12:24 AM
Reedy updated the task description. (Show Details)Jun 4 2022, 7:48 AM
Zabe subscribed.Jun 4 2022, 7:51 AM
matmarex subscribed.Jun 4 2022, 3:47 PM

Probably caused by 6e4d6525e2475142f8b19603f7a5d09ca29f345d (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/570999). getValues() should be getQueryValues(), otherwise it also includes the POST data from the form.

The incorrect code was copied from SpecialRandomPage, where it works fine, because that page doesn't have a form on it.

Xaosflux added a subscriber: Cobaltcigs.Jun 4 2022, 4:05 PM

Possibly caused from T244641

gerritbot added a comment.Jun 4 2022, 8:32 PM

Change 802898 had a related patch set uploaded (by Ammarpad; author: Ammarpad):

[mediawiki/core@master] SpecialRandomInCategory: Don't expose edittoken in URL

https://gerrit.wikimedia.org/r/802898

gerritbot added a project: Patch-For-Review.Jun 4 2022, 8:32 PM
gerritbot added a comment.Jun 4 2022, 10:31 PM

Change 802898 merged by jenkins-bot:

[mediawiki/core@master] SpecialRandomInCategory: Don't expose edittoken in URL

https://gerrit.wikimedia.org/r/802898

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.15; 2022-06-06).Jun 4 2022, 11:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jun 4 2022, 11:30 PM
Umherirrender closed this task as Resolved.Jun 5 2022, 6:17 PM
Umherirrender assigned this task to Ammarpad.
Krinkle awarded a token.Jun 6 2022, 2:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits