Page MenuHomePhabricator
Create Task
Maniphest T96032

Guard against partial data in POST
Open, MediumPublic
Actions

Description

Something I noticed. In Flow we have the edit token as one of the first inputs in the forms for posts and replies.

In core we, at some time in the past, have explicitly put the token as one of the last fields in the form as a backup check on the completeness/integrity of the data being POSTed.

This due to Content-Size not being required to be present and connections being able to drop. We also give this as advise for the XHR requests: https://www.mediawiki.org/wiki/API:Edit

token: Edit token. Especially if you are not using the md5 parameter, the token should be sent as the last parameter,
or at least, after the text parameter, to prevent a bad edit from getting committed if transmission of the body is
interrupted for some reason.

Event Timeline

TheDJ created this task.Apr 14 2015, 3:41 PM
TheDJ raised the priority of this task from to Needs Triage.
TheDJ updated the task description. (Show Details)
TheDJ added projects: StructuredDiscussions, Collaboration-Team-Triage.
TheDJ updated the task description. (Show Details)
TheDJ set Security to None.
TheDJ added subscribers: TheDJ, Aklapper.
EBernhardson triaged this task as Medium priority.Apr 14 2015, 5:43 PM
EBernhardson added a project: good first task.
Mattflaschen-WMF subscribed.Jun 19 2015, 12:30 AM

Not sure this is really easy for no-JS.

Mattflaschen-WMF added a comment.Jun 19 2015, 12:30 AM

It will require handlebars changes for now.

Mattflaschen-WMF removed a project: good first task.Jun 19 2015, 12:30 AM
Aklapper edited projects, added Growth-Team; removed Collaboration-Team-Triage.Oct 12 2019, 4:18 AM
MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 7:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL