Page MenuHomePhabricator

Display comment preview instead of an error on session failure
Closed, ResolvedPublic


The patch to r101052

Now, wikilog just shows an error page on session failures when posting a comment.
In some "browsers" (if MSIE is really a browser) user loses his comment text, because these "browsers" do not preserve it on clicking "Back".
I think it should be solved by displaying comment preview instead of an error in the case of session failure.
The patch is attached - it's pretty simple, but maybe I'm wrong somewhere again? :)

Version: unspecified
Severity: normal




Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:58 PM
bzimport set Reference to bz32000.

bugs wrote:

Hello Vitaliy,

Your patch is already in my patch queue, but before submitting, I would like to understand better in which situations this bug trigger, since I can't reproduce it here.

To get an edit token in the comment form to submit a comment, the user needs to have a session with MediaWiki. This session is either anonymous, or it is a user login session created at login time. This session either ends with the browser session, or after 30 days.

In theory, the user shouldn't have a session failure under normal circumstances. If he got an edit token from the comment form, that edit token should be valid along with his session until he closes the browser.

I want to be careful applying code that touches the session handling code due to the danger of creating a [[w:Cross-site scripting]] vulnerability. But at first glance your patch seems good.

Could you provide some more detailed steps on how to reproduce this problem with the current version of MediaWiki?

bugs wrote:

Correcting myself:

It is the [[w:Cross-site request forgery]] vulnerability, not XSS.

I would like steps to reproduce with the current version of Wikilog, not MediaWiki.

Yes, I've tried to think about CSRF while patching... To reproduce, I think you just need to logout off the wiki leaving the comments page open :)
I didn't reproduce this by myself, but it was done by several users in our company :) /we use wikilog for corporate blogs :)/ Probably they like to log in and out off the wiki? I agree it's strange, I'll try to ask them tomorrow and tell you :)

sumanah wrote:

Vitaliy, have you had a chance to ask your users?

Marking patch as need-review since it sounds like Juliano is still awaiting the information needed to properly review it. If I'm wrong, it would make sense to me to replace the "need-review" keyword with "reviewed".

I am guessing this bug was exacerbated by the 'edit token expiry' problem, which was improved in bug 64416.

Aklapper lowered the priority of this task from Medium to Lowest.Jan 21 2015, 5:42 AM
Aklapper added a subscriber: Aklapper.

It is unclear where this extension actually tracks its bugs - might also be instead of this place.

VitaliyFilippov set Security to None.
VitaliyFilippov added a subscriber: VitaliyFilippov.

I'm tracking bugs on
This bug is already fixed in my version for a long time.