Page MenuHomePhabricator

Display comment preview instead of an error on session failure
Closed, ResolvedPublic

Description

The patch to r101052

Now, wikilog just shows an error page on session failures when posting a comment.
In some "browsers" (if MSIE is really a browser) user loses his comment text, because these "browsers" do not preserve it on clicking "Back".
I think it should be solved by displaying comment preview instead of an error in the case of session failure.
The patch is attached - it's pretty simple, but maybe I'm wrong somewhere again? :)


Version: unspecified
Severity: normal

Attached:

Details

Reference
bz32000

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:58 PM
bzimport set Reference to bz32000.

bugs wrote:

Hello Vitaliy,

Your patch is already in my patch queue, but before submitting, I would like to understand better in which situations this bug trigger, since I can't reproduce it here.

To get an edit token in the comment form to submit a comment, the user needs to have a session with MediaWiki. This session is either anonymous, or it is a user login session created at login time. This session either ends with the browser session, or after 30 days.

In theory, the user shouldn't have a session failure under normal circumstances. If he got an edit token from the comment form, that edit token should be valid along with his session until he closes the browser.

I want to be careful applying code that touches the session handling code due to the danger of creating a [[w:Cross-site scripting]] vulnerability. But at first glance your patch seems good.

Could you provide some more detailed steps on how to reproduce this problem with the current version of MediaWiki?

bugs wrote:

Correcting myself:

It is the [[w:Cross-site request forgery]] vulnerability, not XSS.

I would like steps to reproduce with the current version of Wikilog, not MediaWiki.

Yes, I've tried to think about CSRF while patching... To reproduce, I think you just need to logout off the wiki leaving the comments page open :)
I didn't reproduce this by myself, but it was done by several users in our company :) /we use wikilog for corporate blogs :)/ Probably they like to log in and out off the wiki? I agree it's strange, I'll try to ask them tomorrow and tell you :)

sumanah wrote:

Vitaliy, have you had a chance to ask your users?

Marking patch as need-review since it sounds like Juliano is still awaiting the information needed to properly review it. If I'm wrong, it would make sense to me to replace the "need-review" keyword with "reviewed".

I am guessing this bug was exacerbated by the 'edit token expiry' problem, which was improved in bug 64416.

Aklapper lowered the priority of this task from Medium to Lowest.Jan 21 2015, 5:42 AM
Aklapper added a subscriber: Aklapper.

It is unclear where this extension actually tracks its bugs - might also be https://code.google.com/p/mediawiki-wikilog/issues/list instead of this place.

VitaliyFilippov set Security to None.
VitaliyFilippov added a subscriber: VitaliyFilippov.

I'm tracking bugs on https://github.com/mediawiki4intranet
This bug is already fixed in my version for a long time.