| He7d3r | |
| Mar 8 2012, 11:19 AM |
| F9182: 35060.patch | |
| Nov 22 2014, 12:18 AM |
I was trying to use the URL
https://en.wikipedia.org/wiki/Special:MyPage/common.js?action=edit&debug=1
when reporting another bug, but I noticed that the "&debug=1" is discarded after the page redirects to my real page. This also happens with other parameters as well:
https://en.wikipedia.org/wiki/Special:MyPage/common.js?uselang=ja&action=edit&debug=1
It seems that only the "action" is always kept.
Version: 1.19
Severity: enhancement
SpecialMypage in SpecialPage.php has a list "mAllowedRedirectParams", which contains action, but not debug. When adding, please add it also to some of the other RedirectSpecialPage like MyTalk or so.
For the record,
https://en.wikipedia.org/wiki/Special:Random?action=edit&debug=1&uselang=ja
works fine.
This is probably something easy to fix. Adding appropriate keyword.
I ran into this problem with this URL:
It keeps the action and section params but discards preloadtitle, which would be useful in this case. I'm going to patch mAllowedRedirectParams on my server.
Created attachment 10379
Adds redirect params to Special:MyPage and MyTalk
Upon reviewing this further, I can imagine plausible use cases for a whole lot of parameters not currently included in mAllowedRedirectParams:
Current value:
$this->mAllowedRedirectParams = array( 'action' , 'preload' , 'editintro',
'section', 'oldid', 'diff', 'dir', 'ctype', 'maxage', 'smaxage' );
Parameters listed in http://www.mediawiki.org/wiki/Manual:Parameters_to_index.php that might be useful:
useskin, uselang, printable: to alter the appearance of the resulting page
redirect: allows viewing one's user page/user talk page even if it is a redirect
rdfrom: allows redirecting to one's user page/user talk page from an external wiki with correct "Redirected from..." notice
limit, offset: Useful for linking to history of one's own user page or user talk page. For example, this would be a link to "the last edit to your user talk page in the year 2010":
feed: Would allow linking to the current user's RSS feed for their user talk page:
http://en.wikipedia.org/w/index.php?title=Special:MyTalk&action=history&feed=rss
preloadtitle: Came up in an actual use case for me, as mentioned above.
summary: Could be used to provide a default edit summary for a preloaded edit to one's own user page or talk page.
preview: Allows showing/hiding preview on first edit regardless of user preference, useful for preloaded edits where you know preview wouldn't be useful.
internaledit, externaledit, mode: Would allow forcing the use of the internal/external editor, e.g. to force the internal editor for short/simple preloaded edits.
redlink: Affects the message the user sees if their talk page/user talk page does not currently exist. Avoids confusion for newbies with no user pages over why they got a "permission error" following this link:
http://en.wikipedia.org/w/index.php?title=Special:MyPage&redlink=1
stable: When the FlaggedRevisions extension is installed, allows the link to determine whether the user sees the stable or draft version of their user page/user talk page.
debug: Not mentioned on the page, but needed by one of the commenting users.
I've attached a patch against MW 1.18.2 which enables all of these in mAllowedRedirectParams for both the user and user talk page, attached. Used a static function to share the list, which is kind of ugly, there's probably a better way. Needs review from a dev to make sure these rationales make sense and there are no security issues I'm unaware of, etc.
Attached:
sumanah wrote:
Thanks for the patch, Derrick. Just so you know, you can get developer access easily
https://www.mediawiki.org/wiki/Developer_access
and then submit the patch right into our Git source control system:
Hello Dcoetze!
Bad news: Your attachment is empty.
Good news: An empty patch doesn't add any security hole :)
@Platonides: I tried clicking "Details" on the attachment and I could see my patch, I'm pretty sure it's there, unless I put it in the wrong place or something?
@Sumana: I'm glad to hear they're accepting patches through Git now and will be sure to apply, thanks!
sumanah wrote:
There's still a patch, it's just that it's in Gerrit (and in this case it's been reviewed). :)
Final patch with docs is in Gerrit now, sorry for the delay, and thank you to Hashar for helping out. Waiting for final approval.