[[Special:MyPage]] should not discard URL parameters
Closed, ResolvedPublic

Description

I was trying to use the URL
https://en.wikipedia.org/wiki/Special:MyPage/common.js?action=edit&debug=1
when reporting another bug, but I noticed that the "&debug=1" is discarded after the page redirects to my real page. This also happens with other parameters as well:
https://en.wikipedia.org/wiki/Special:MyPage/common.js?uselang=ja&action=edit&debug=1

It seems that only the "action" is always kept.


Version: 1.19
Severity: enhancement

Details

Reference
bz35060
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz35060.
He7d3r created this task.Mar 8 2012, 11:19 AM

SpecialMypage in SpecialPage.php has a list "mAllowedRedirectParams", which contains action, but not debug. When adding, please add it also to some of the other RedirectSpecialPage like MyTalk or so.

beau wrote:

redirect=no would be handy too

For the record,
https://en.wikipedia.org/wiki/Special:Random?action=edit&debug=1&uselang=ja
works fine.

This is probably something easy to fix. Adding appropriate keyword.

I ran into this problem with this URL:

http://commonsarchive.org/w/index.php?title=Special:MyTalk&action=edit&section=new&preloadtitle=My+Commons+account+verification+code

It keeps the action and section params but discards preloadtitle, which would be useful in this case. I'm going to patch mAllowedRedirectParams on my server.

Created attachment 10379
Adds redirect params to Special:MyPage and MyTalk

Upon reviewing this further, I can imagine plausible use cases for a whole lot of parameters not currently included in mAllowedRedirectParams:

Current value:
$this->mAllowedRedirectParams = array( 'action' , 'preload' , 'editintro',

'section', 'oldid', 'diff', 'dir',
'ctype', 'maxage', 'smaxage' );

Parameters listed in http://www.mediawiki.org/wiki/Manual:Parameters_to_index.php that might be useful:

useskin, uselang, printable: to alter the appearance of the resulting page

redirect: allows viewing one's user page/user talk page even if it is a redirect

rdfrom: allows redirecting to one's user page/user talk page from an external wiki with correct "Redirected from..." notice

limit, offset: Useful for linking to history of one's own user page or user talk page. For example, this would be a link to "the last edit to your user talk page in the year 2010":

http://en.wikipedia.org/w/index.php?title=Special:MyPage&offset=20110000000000&limit=1&action=history

feed: Would allow linking to the current user's RSS feed for their user talk page:

http://en.wikipedia.org/w/index.php?title=Special:MyTalk&action=history&feed=rss

preloadtitle: Came up in an actual use case for me, as mentioned above.

summary: Could be used to provide a default edit summary for a preloaded edit to one's own user page or talk page.

preview: Allows showing/hiding preview on first edit regardless of user preference, useful for preloaded edits where you know preview wouldn't be useful.

internaledit, externaledit, mode: Would allow forcing the use of the internal/external editor, e.g. to force the internal editor for short/simple preloaded edits.

redlink: Affects the message the user sees if their talk page/user talk page does not currently exist. Avoids confusion for newbies with no user pages over why they got a "permission error" following this link:

http://en.wikipedia.org/w/index.php?title=Special:MyPage&redlink=1

stable: When the FlaggedRevisions extension is installed, allows the link to determine whether the user sees the stable or draft version of their user page/user talk page.

debug: Not mentioned on the page, but needed by one of the commenting users.

I've attached a patch against MW 1.18.2 which enables all of these in mAllowedRedirectParams for both the user and user talk page, attached. Used a static function to share the list, which is kind of ugly, there's probably a better way. Needs review from a dev to make sure these rationales make sense and there are no security issues I'm unaware of, etc.

Attached: 35060.patch

sumanah wrote:

Thanks for the patch, Derrick. Just so you know, you can get developer access easily

https://www.mediawiki.org/wiki/Developer_access

and then submit the patch right into our Git source control system:

https://www.mediawiki.org/wiki/Git/Workflow

Hello Dcoetze!
Bad news: Your attachment is empty.
Good news: An empty patch doesn't add any security hole :)

@Platonides: I tried clicking "Details" on the attachment and I could see my patch, I'm pretty sure it's there, unless I put it in the wrong place or something?

@Sumana: I'm glad to hear they're accepting patches through Git now and will be sure to apply, thanks!

I've now pushed this patch (slightly modified) to Gerrit at:

https://gerrit.wikimedia.org/r/5138

Removing patch keyword as things have moved into Gerrit.

sumanah wrote:

There's still a patch, it's just that it's in Gerrit (and in this case it's been reviewed). :)

Final patch with docs is in Gerrit now, sorry for the delay, and thank you to Hashar for helping out. Waiting for final approval.

successfully merged

Add Comment