Page MenuHomePhabricator
Create Task
Maniphest T39643

Session may not be started for non-logged-in API edits, causing captcha to fail
Closed, ResolvedPublic
Actions

Description

This extension may use the session to store the captcha data, but does not ensure that the session has actually been started. Setup.php will normally take care of this, because in most cases the user will be logged in or at least have done other things that would cause the session cookie to be set.

But if the edit is being performed by a non-logged-in user who hasn't gotten a session cookie yet, Setup.php will not start the session. The captcha data will thus never be saved, so the user cannot ever pass the captcha.

Gerrit changeset coming shortly.

Version: master
Severity: normal

Details

Reference
bz37643

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:27 AM
bzimport added a project: ConfirmEdit (CAPTCHA extension).
bzimport set Reference to bz37643.
bzimport added a subscriber: Unknown Object (MLST).
Anomie created this task.Jun 16 2012, 2:07 AM
Anomie added a comment.Jun 16 2012, 2:28 AM

Gerrit changeset 11722

Platonides added a comment.Aug 21 2012, 2:13 PM

How is it possible? Anyone trying to edit will get a session.

Anomie added a comment.Aug 21 2012, 3:47 PM

(In reply to comment #2)

How is it possible? Anyone trying to edit will get a session.

As described: If you're not logged in, you don't get a session cookie until you try to perform certain actions. And the steps required to make an edit via the API do not include any session-creating actions.

I discovered this bug by doing exactly that while testing API captcha support.

At any rate, the gerrit change doesn't hurt anything if there is already a session active. It just starts a session if there isn't one, which really should be done by anything that is trying to use the session.

csteipp added a comment.Sep 27 2012, 8:26 PM

Brad, can you add some details about the use case that you're seeing fail?

It's probably fine, but I would hate to start any sessions that aren't needed, since that affects caching. But if there are a few cases where we are missing sessions, then this is probably a good way to set it.

Anomie added a comment.Sep 28 2012, 12:37 AM

Ok, step by step.

  1. Make sure ConfirmEdit is enabled and that it will be using CaptchaSessionStore.
  2. Clear your cookies, if necessary.
  3. Make an API request to get an edit token, e.g. http://localhost/w/api.php?action=query&titles=Sandbox&prop=info&intoken=edit or http://localhost/w/api.php?action=tokens. Note you will not receive any session cookie from either of these requests.
  4. Make an API request to edit a page, which includes at least one new link. For example, http://localhost/w/api.php?action=edit&token=%2B%5C&summary=Test&text=http://www.example.com/&title=Sandbox. You should get back a response with captcha information. You will receive no cookie, even though ConfirmEdit tried to save data in the session.
  5. Make another API request, supplying the correct captcha information. For example, if MathCaptcha gave back "3 + 4 = ", you might send http://localhost/w/api.php?action=edit&token=%2B%5C&summary=Test&text=http://www.example.com/&title=Sandbox&captchaid=1234567890&captchaword=7. You will get back another response with a different captcha request, and still no cookie.

When using my patch, in step 4 you ''will'' receive a session cookie, so the edit will be able to succeed in step 5. In the much more common case that you already have a session cookie heading into step 4 (e.g. you're logged in), the "session_id() === ''" test in my patchet will be false so nothing much will change.

duplicatebug added a comment.Nov 24 2012, 9:30 PM

(In reply to comment #1)

Gerrit change #11722

Status Merged, bug resolved?

Anomie added a comment.Nov 25 2012, 12:59 AM

(In reply to comment #6)

(In reply to comment #1)

Gerrit change #11722

Status Merged, bug resolved?

Yes.

Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits