On Sat, Aug 17, 2019 at 2:38 AM Ran Ari-Gur <[email protected]> wrote:
> Does this mean that if a client doesn't set the Content-Type header, and > it sends some parameters in the URI query string and some parameters in the > HTTP request body, then the latter are now sometimes ignored (and > eventually will always be ignored)? > Yes, it does. > If so, then this is a bit worrisome, in that safety-checks like > starttimestamp=... and assertuser=1 wouldn't do their jobs, so actions > might go through that aren't supposed to. > Since the "token" parameter is required to be in the POST body, the action should fail due to that being missing if the "action" parameter is in the query string. > Is it possible for MediaWiki to detect that there was a message body but > no Content-Type, and return an explicit error in that case? > It should be possible to detect a POST with no Content-Type, that's a good idea. I doubt there's much point in trying to differentiate the rare case of a POST with an empty body, particularly since the client should still be including the content type even with that. I filed https://phabricator.wikimedia.org/T230735 with the suggestion. -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation
_______________________________________________ Mediawiki-api mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
