Page MenuHomePhabricator
Create Task
Maniphest T41830

Insufficient param validation
Open, MediumPublic
Actions

Description

LQT has the following declaration:
···
'type' => array (
ApiBase :: PARAM_DFLT => 'newthreads',
ApiBase :: PARAM_TYPE => array( 'replies', 'newthreads' ),
ApiBase :: PARAM_ISMULTI => true,
),
···
With invalid input the value of 'type' is array(). This is unexpected. It should either complain that the value(s) are not one of the allowed values (preferred), or use the default value 'newthreads' (less preferred). PARAM_ISMULTI seems to bypass the regular checks.

This causes exceptions in other code in LiquidhThreads which excepts that the values are sane. I believe this is an issue that should be fixed in core.

Version: 1.20.x
Severity: normal

Details

Reference
bz39830

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:52 AM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz39830.
bzimport added a subscriber: Unknown Object (MLST).
Nikerabbit created this task.Aug 31 2012, 7:28 AM
Umherirrender added a comment.Aug 31 2012, 2:38 PM

A wrong value is removed from the values and a empty array is threated like a valid value. For core you can see this with prop=revisions. When giving an empty rvprop= or a rvprop= with wrong value, that results in the same output, because no of the properties are requested. Requesting no properties makes no sense, but is valid at the moment (no need for b/c).

In my opinion is there no problem, because it is not required that a value must be set and than the empty value is ok.

But setting PARAM_REQUIRED = true has no effect. That is the bug, in my opinion.

Umherirrender added a comment.Mar 9 2013, 6:31 PM

(In reply to comment #1)

But setting PARAM_REQUIRED = true has no effect. That is the bug, in my
opinion.

Commited gerrit 52987 for this

Umherirrender added a comment.Mar 14 2013, 6:30 PM

(In reply to comment #2)
Commited Gerrit change #52987 for this

Abandoned for the moment, does not work as aspected.

Aklapper added a comment.Mar 20 2013, 2:53 PM

Still there is a patch in gerrit that somebody could pick up, hence restoring patch-in-gerrit, keyword.

Anomie moved this task from Unsorted to Needs Code on the MediaWiki-Action-API board.Feb 19 2015, 8:16 PM
Umherirrender unsubscribed.Feb 24 2015, 7:56 PM
Anomie removed a project: Patch-For-Review.Apr 8 2015, 1:24 PM
Anomie set Security to None.
Anomie added subscribers: Aklapper, Anomie.
In T41830#440226, @Aklapper wrote:

Still there is a patch in gerrit that somebody could pick up, hence restoring patch-in-gerrit, keyword.

While there was a patch, it's not something someone could "pick up". The approach there turned out to be unfeasible, and while the review there has useful information for someone writing a new patch it would in fact be an entirely new patch.

DannyS712 updated the task description. (Show Details)Nov 19 2019, 6:20 AM
Restricted Application added a project: Platform Engineering. · View Herald TranscriptNov 19 2019, 6:20 AM
Anomie removed a project: Platform Engineering.Nov 19 2019, 2:15 PM
Tgr mentioned this in T255035: Action API breaks when the default value is an empty array.Jun 10 2020, 3:38 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL