When a signature contains a link to a subpage in user namespace the name of the user should be extracted by only looking at the base page. Currently such links prevent notifications to be sent, even when a normal link is present, too. For example https://de.wikipedia.org/w/index.php?title=Benutzer_Diskussion%3ASchnark&diff=138275105&oldid=138274875 didn't create a notification.
- Mentioned In
- rMEXT0f49d93f7d8a: Updated mediawiki/extensions Project: mediawiki/extensions/Echo…
rECHO4298fb345f09: Improve signature detection
rECHO8d5261d71ce9: Improve signature detection
rECHO58e1c765d63f: Improve signature detection
T78424: P4. Spike - Figure out causes of mention notification not being sent (missing pings)
- Mentioned Here
- T75426: Comments containing diacritics does not generate notifications
Why? Such signatures have been common for years. Please note that they the link to the subpage is only additional, the signatures contain a link to the user page, too, but as I wrote the ping still fails.
How should that influence this issue? The problem is in https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FEcho/2578c37d6c5eac7f128be35210407ee5fccef688/includes%2FDiscussionParser.php#L709, if a user links to to User:Name/subpage, the code detects "Name/subpage" as the name of the user, because it doesn't strip the subpage from the link. But then the signing user and the editing user are different, so the signature is not recognized as valid.
Is it live now on de.wikipedia? If so, the patch didn't fix the issue, I didn't get a notification for https://de.wikipedia.org/w/index.php?title=Benutzer_Diskussion%3ASchnark&diff=138679710&oldid=138602080
Although it was supposed to go out to both deployment branches, it seems it only made it to 1.25wmf16 (de.wiki is on 1.25wmf15 so didn't yet get this patch)
All remaining wikis will roll over to 1.25wmf16 tonight, so if you could test again tomorrow, that would be great :)
After I registered that name, the titleblacklist has been made stricter, but I think it's just one or two characters that the name is now too long, just leave the spaces out and change the x and y for some other letters and it should work. At least, I was able to register Benutzer:A'onclick='alert("XSS");'title='b after the change to the blacklist.
@Schnark: I give up. I was able to register a similar username (X"onclick="alert('X');"rel="z), but when I tried to ping that one a couple of minutes later, I got:
"Du kannst dich nicht anmelden, da dein Benutzerkonto global gesperrt ist."
Any chance you could test this again? The code should now be on de.wiki.
The comments are combining three different issues:
- Signatures with a link to a subpage in addition to the user page (e.g. "--[[Benutzer:Schnark]] [[Benutzer:Schnark/js|js]] 10:00, 10. Feb. 2015 (CET)")
- Signatures with extra parenthetical text
- Some kind of XSS (there is no report that Echo or Flow is actually vulnerable to XSS here yet, though).
This bug is only about #1, which is easily testable without #2 and #3.
https://de.wikipedia.org/w/index.php?title=Benutzer_Diskussion%3ASchnark&diff=138781806&oldid=138681642 did work as expected, so this (and every other possible bug that could occur in this situation) really is fixed.