[Bug 35646] ApiBlockTest::testMakeNormalBlock() broken

Mon, 02 Apr 2012 11:09:05 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=35646

--- Comment #2 from Sam Reed (reedy) <s...@reedyboy.net> 2012-04-02 18:09:01 
UTC ---
User.php, it's the request specific tokens at fault

    /**
     * Check given value against the token value stored in the session.
     * A match should confirm that the form was submitted from the
     * user's own login session, not a form submission from a third-party
     * site.
     *
     * @param $val String Input value to compare
     * @param $salt String Optional function-specific data for hashing
     * @param $request WebRequest object to use or null to use $wgRequest
     * @return Boolean: Whether the token matches
     */
    public function matchEditToken( $val, $salt = '', $request = null ) {
        $sessionToken = $this->getEditToken( $salt, $request );
        if ( $val != $sessionToken ) {
            wfDebug( "User::matchEditToken: broken session data\n" );
        }
        return $val == $sessionToken;
    }

Commenting out the pass of $request (so it falls back to null) fixes the issue.

We've got discrepancy between code - the gettoken part of block passes the
request, but prop=info doesn't, but the api itself does

        // Die if token required, but not provided (unless there is a gettoken
parameter)
        $salt = $module->getTokenSalt();
        if ( $salt !== false && !isset( $moduleParams['gettoken'] ) ) {
            if ( !isset( $moduleParams['token'] ) ) {
                $this->dieUsageMsg( array( 'missingparam', 'token' ) );
            } else {
                if ( !$this->getUser()->matchEditToken( $moduleParams['token'],
$salt, $this->getRequest() ) ) {
                    $this->dieUsageMsg( 'sessionfailure' );
                }
            }
        }


So the question is about the requests. Where should we be passing it, and where
shouldn't we?

I guess the request in the block/unblock should be removed to normalise them
with the prop=info one. And then do the same in ApiMain::setupModule (ie not
pass $this->request)

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to