| VitaliyFilippov | |
| Oct 27 2011, 9:31 PM |
| F8353: wikilog-force-preview-on-sessionfailure.diff | |
| Jan 21 2015, 8:58 AM |
The patch to r101052
Now, wikilog just shows an error page on session failures when posting a comment.
In some "browsers" (if MSIE is really a browser) user loses his comment text, because these "browsers" do not preserve it on clicking "Back".
I think it should be solved by displaying comment preview instead of an error in the case of session failure.
The patch is attached - it's pretty simple, but maybe I'm wrong somewhere again? :)
Version: unspecified
Severity: normal
Attached:
| Title | Reference | Author | Source Branch | Dest Branch | |
|---|---|---|---|---|---|
| envvars.list: truncate values > 50 chars | repos/cloud/toolforge/envvars-cli!5 | sstefanova | truncate-envvar | main |
bugs wrote:
Hello Vitaliy,
Your patch is already in my patch queue, but before submitting, I would like to understand better in which situations this bug trigger, since I can't reproduce it here.
To get an edit token in the comment form to submit a comment, the user needs to have a session with MediaWiki. This session is either anonymous, or it is a user login session created at login time. This session either ends with the browser session, or after 30 days.
In theory, the user shouldn't have a session failure under normal circumstances. If he got an edit token from the comment form, that edit token should be valid along with his session until he closes the browser.
I want to be careful applying code that touches the session handling code due to the danger of creating a [[w:Cross-site scripting]] vulnerability. But at first glance your patch seems good.
Could you provide some more detailed steps on how to reproduce this problem with the current version of MediaWiki?
bugs wrote:
Correcting myself:
It is the [[w:Cross-site request forgery]] vulnerability, not XSS.
I would like steps to reproduce with the current version of Wikilog, not MediaWiki.
Yes, I've tried to think about CSRF while patching... To reproduce, I think you just need to logout off the wiki leaving the comments page open :)
I didn't reproduce this by myself, but it was done by several users in our company :) /we use wikilog for corporate blogs :)/ Probably they like to log in and out off the wiki? I agree it's strange, I'll try to ask them tomorrow and tell you :)
sumanah wrote:
Vitaliy, have you had a chance to ask your users?
Marking patch as need-review since it sounds like Juliano is still awaiting the information needed to properly review it. If I'm wrong, it would make sense to me to replace the "need-review" keyword with "reviewed".
I am guessing this bug was exacerbated by the 'edit token expiry' problem, which was improved in bug 64416.
It is unclear where this extension actually tracks its bugs - might also be https://code.google.com/p/mediawiki-wikilog/issues/list instead of this place.
I'm tracking bugs on https://github.com/mediawiki4intranet
This bug is already fixed in my version for a long time.