Page MenuHomePhabricator
Create Task
Maniphest T47017

mustBePosted unchecked for query modules
Closed, ResolvedPublic
Actions

Description

Although the autogenerated checkuser API documentation says that it accepts POST request only, it appears to accept GET requests as well. I clicked on one of the demo links, which should have failed since it's GET, and instead it actually ran the check and generated an entry in the CU log.

Version: unspecified
Severity: normal

Details

Reference
bz45017

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:28 AM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz45017.
bzimport added a subscriber: Unknown Object (MLST).
Timotheus_Canens created this task.Feb 14 2013, 9:22 PM
Legoktm added a comment.Feb 15 2013, 12:07 PM

In api/ApiQueryCheckUser.php L204:

public function mustBePosted() {

		return true;

}

Yet I'm able to confirm this on my testwiki. This may be due to some recent changes in how the query/list module works in core, I'm looking into it a bit more.

Krenair added a comment.Feb 15 2013, 8:56 PM

Gerrit change 49344

Krenair added a comment.Feb 15 2013, 10:15 PM

Merged by Chris.

Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:02 PM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptJan 28 2016, 6:02 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL