Page MenuHomePhabricator
Create Task
Maniphest T336624

MediaWiki does not redirect URL with OAuth credentials supplied
Closed, InvalidPublicBUG REPORT
Actions

Description

Related to T336610: TestHttpStatus::test_follow_redirects fails with OAUTH credentials in user-config.py

Steps to replicate the issue (include links if applicable):
Run the following python script:

#!/usr/bin/env python

import requests
from requests_oauthlib import OAuth1

r1 = requests.get('https://en.wikipedia.org/wiki/Main%20Page', auth=OAuth1('', '', '', ''))
r2 = requests.get('https://en.wikipedia.org/wiki/Main%20Page', auth=None)

print(f"{r1.url=}, {r1.history=}")
print(f"{r2.url=}, {r2.history=}")

What happens?:
It prints:

r1.url='https://en.wikipedia.org/wiki/Main%20Page', r1.history=[]
r2.url='https://en.wikipedia.org/wiki/Main_Page', r2.history=[<Response [301]>]

indicating that when OAuth credentials are supplied, the URL is not redirected.

What should have happened instead?:

Both requests should result in a redirect to the canonical URL. In the example above, that's obviously not valid credentials, but it shouldn't matter; there's nothing about this request which requires authentication. I can also reproduce this behavior with valid OAuth credentials, but not including those in the report for privacy reasons.

Software version (skip for WMF-hosted wikis like Wikipedia):

I can reproduce this on either:

MacOS 12.6.1
Python 3.9.13
certifi==2023.5.7
charset-normalizer==3.1.0
idna==3.4
oauthlib==3.2.2
requests==2.30.0
requests-oauthlib==1.3.1
urllib3==2.0.2

or

Debian 11.7
Python 3.9.2
certifi==2023.5.7
charset-normalizer==3.1.0
idna==3.4
oauthlib==3.2.2
requests==2.30.0
requests-oauthlib==1.3.1
urllib3==2.0.2

I cannot reproduce this with command-line curl, i.e.

$ curl -H "AuthToken: 0000" -v https://en.wikipedia.org/wiki/Main%20Page

redirects to https://en.wikipedia.org/wiki/Main_Page as it should. This is either a bug in MediaWiki or a bug in the python requests library. Neither one seems likely, and I figure whichever one I report a bug to will point the finger at the other, so flipping a coin and starting here.

Related Objects

Event Timeline

RoySmith created this task.May 13 2023, 6:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 13 2023, 6:36 PM
RhinosF1 added a project: MediaWiki-extensions-OAuth.May 13 2023, 6:37 PM
RhinosF1 subscribed.
JJMC89 subscribed.May 13 2023, 6:47 PM
Platonides subscribed.May 13 2023, 9:33 PM

This variant allows choosing the target url:

T336624.py346 BDownload

I can easily reproduce the issue against wmfprod and the beta cluster.

On Debian/Ubuntu apt installing python3-requests-oauthlib pulls all requisites.

The issue may be on MediaWiki OAuth extension (not happening on a wiki without it), or (unlikely) requests library, but it could also be caused by something on the WMF stack.

It would be interesting to try it directly on an apache.

RoySmith mentioned this in T336630: TestShortLink::test_create_short_link sometimes fails with oauth credentials in user-config.py.May 14 2023, 3:58 AM
Reedy renamed this task from Mediawiki does not redirect URL with OAuth credentials supplied to MediaWiki does not redirect URL with OAuth credentials supplied.May 15 2023, 1:28 PM
Reedy updated the task description. (Show Details)
Lucas_Werkmeister_WMDE subscribed.EditedMay 15 2023, 2:38 PM

I can reproduce this against my local wiki, so it’s probably in MediaWiki or OAuth (or a Python library after all), rather than WMF’s specific web stack. (But in case it matters, my local wiki is a Ubuntu Apache + php8.1 module, no CGI or FPM-CGI as far as I’m aware.)

$ python T336624.py 'http://localhost/wiki1/index.php/Main%20Page'
http://localhost/wiki1/index.php/Main%20Page, []
http://localhost/wiki1/index.php/Main_Page, [<Response [301]>]
Tgr closed this task as Invalid.Jul 2 2023, 5:55 AM
Tgr subscribed.

This is intentional, OAuth suppresses redirects as they would mess up OAuth 1 signatures where the URL is used for calculating the verifier checksum.

OAuth is an authorization protocol for the APIs. It's not supposed to be used for web requests and has no well-defined behavior when so used. We should probably return a HTTP 400 though - filed T340919: OAuth requests to MediaWiki endpoints not supporting OAuth should be rejected about that.

I cannot reproduce this with command-line curl, i.e.
curl -H "AuthToken: 0000" -v https://en.wikipedia.org/wiki/Main%20Page

That's not an OAuth request FWIW. An OAuth 2 request would look like curl -H "Authorization: Bearer 0000" -v https://en.wikipedia.org/wiki/Main%20Page (which does not redirect).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits