> Since the "token" parameter is required to be in the POST body, the action should fail due to that being missing if the "action" parameter is in the query string.
OK, phew, that's reassuring; thanks for the correction! > I filed https://phabricator.wikimedia.org/T230735 with the suggestion. Looks good, thanks! On Mon, Aug 19, 2019, 9:09 AM Brad Jorsch (Anomie) <bjor...@wikimedia.org> wrote: > On Sat, Aug 17, 2019 at 2:38 AM Ran Ari-Gur <ran.ari...@gmail.com> wrote: > >> Does this mean that if a client doesn't set the Content-Type header, and >> it sends some parameters in the URI query string and some parameters in the >> HTTP request body, then the latter are now sometimes ignored (and >> eventually will always be ignored)? >> > > Yes, it does. > > >> If so, then this is a bit worrisome, in that safety-checks like >> starttimestamp=... and assertuser=1 wouldn't do their jobs, so actions >> might go through that aren't supposed to. >> > > Since the "token" parameter is required to be in the POST body, the action > should fail due to that being missing if the "action" parameter is in the > query string. > > >> Is it possible for MediaWiki to detect that there was a message body but >> no Content-Type, and return an explicit error in that case? >> > > It should be possible to detect a POST with no Content-Type, that's a good > idea. I doubt there's much point in trying to differentiate the rare case > of a POST with an empty body, particularly since the client should still be > including the content type even with that. > > I filed https://phabricator.wikimedia.org/T230735 with the suggestion. > > -- > Brad Jorsch (Anomie) > Senior Software Engineer > Wikimedia Foundation > _______________________________________________ > Mediawiki-api mailing list > Mediawiki-api@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/mediawiki-api >
_______________________________________________ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
