Last modified: 2009-08-06 18:18:43 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T2013, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 13 - "Return to" item doesn't retain contextual parameters
"Return to" item doesn't retain contextual parameters
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Low minor with 4 votes (vote)
: ---
Assigned To: Trevor Parscal
: patch, patch-need-review
: 1397 4814 7453 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-11 10:00 UTC by xmlizer
Modified: 2009-08-06 18:18 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Retain contextual parameters for login and logout links (4.46 KB, patch)
2008-01-27 13:30 UTC, Robert Leverington
Details
Patch providing full URL path redirection for login and logout (5.90 KB, patch)
2008-01-27 21:43 UTC, Robert Leverington
Details

Description xmlizer 2004-08-11 10:00:08 UTC
the "returnto" parameter just keep the page name and not the parameter with

when we click on log in (for example when we log on recentchanges with minoredit
parameter set) we come back but on the default pages (in this case recentchanges)
Comment 1 Timwi 2004-08-11 17:05:13 UTC
Is that really a problem?  If you need a particular set of parameters for
Special:Recentchanges, wouldn't it make more sense to just bookmark it?  And if
you have a bookmark, you can just use that.

However, if someone really wants to "fix" this, I should point out that the same
concern applies to many other Special pages, including Special:Contributions:
after logging in, I get redirected to [[Special:Contributions]] which says "You
have not specified a target page or user to perform this function on."
Comment 2 Antoine "hashar" Musso (WMF) 2004-08-14 11:52:07 UTC
MERGE OF SOURCEFORGE BUG #897952
http://sourceforge.net/tracker/index.php?func=detail&aid=897952&group_id=34373&atid=411192

Submitted By:
noririty - noririty
Date Submitted:
2004-02-16 13:20

 Reproducible: Always
Steps to Reproduce:
1. Logout
2. browse to User contributions page (ex.
http://en.wikipedia.org/w/wiki.phtml?title=Special:Contributions&target=RickK)
3. Login
Actual Results:
"No target" page [[Special:Contributions]] come out

Expected Results:
It should hold link to target=USERID
Comment 3 Brion Vibber 2005-01-24 07:29:59 UTC
*** Bug 1397 has been marked as a duplicate of this bug. ***
Comment 4 Brion Vibber 2006-02-01 00:28:46 UTC
*** Bug 4814 has been marked as a duplicate of this bug. ***
Comment 5 Edward Z. Yang 2006-06-09 01:44:24 UTC
In response to Timwi's response, that's the main problem with "return to's."
Short of copying the entire URL from the referer, ensuring that EVERY page that
links to the page in question passes its entire URL to it, or defining a compact
syntax that has the ability to describe every non-idempotent page on the site,
this isn't getting fixed.
Comment 6 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-10-05 21:06:41 UTC
*** Bug 7453 has been marked as a duplicate of this bug. ***
Comment 7 Mark Clements (HappyDog) 2006-12-18 16:55:24 UTC
Surely the redirect to the login page is handled by a generic block of code -
why can't that just pass the full request string rather than just the requested
page name?
Comment 8 Jim Hu 2007-06-22 21:03:54 UTC
I agree that passing the parameters would be useful - without them, my TableEdit extension has problems returning to the right place when users have to be logged in to edit.
Comment 9 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-06-22 21:39:13 UTC
Tangentially related to bug 7129, which I'm poking at now.
Comment 10 Robert Leverington 2008-01-26 20:26:26 UTC
This bug hasn't been touched for 6 months so I would like to propose a solution I would be willing to code. Since it would be undesirable to allow the user to be redirected anywhere other than inside the current wiki this bug could be solved by urlencoding the query string and putting it in a returnquery= part of the login url. If a returnquery= value is found then the user is redirected to $wgScript . '?' . urldecode( querystring ); otherwise the original behaviour of returnto= is used. This would ensure backwards compatibility and allow for a solution to this bug.
Comment 11 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-01-27 00:55:23 UTC
I would do it a little more loosely, and also allow redirects to $wgServer as well, if possible.  That is, it would be good if pretty URLs could be kept.

Anyway, I'm not going to work on this anytime soon.  Feel free to take it if you want.
Comment 12 Robert Leverington 2008-01-27 10:02:15 UTC
I also discussed this, but going down all the way to the server root could cause possible redirection security issues. Given that some hosts give you a directory rather than a subdomain. Also some sites run multiple wikis off the same domain and malicious users might decide to try to confuse them by setting up login links that redirect to a different wiki. Due to the fact that returnto= could also be kept the functions of them could be slightly different: returnto redirects back to a wiki page and is invoked if returnquery isn't found; returnquery is invoked by default and redirects to a querystring appended to $wgScript.

Of course these are all minor details and due to the nature of any patch this could be simply changed providing it hadn't gone in to common usage yet.
Comment 13 Robert Leverington 2008-01-27 13:30:30 UTC
Created attachment 4587 [details]
Retain contextual parameters for login and logout links

This patch provides the necessery modifications to maintain contextual paramters, if present, for both the login and logout pages. If no query string is present then former behaviour is employed.

Fully tested on my development wiki.
Comment 14 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-01-27 16:50:40 UTC
Er, I didn't mean $wgServer, of course.  I meant $wgArticlePath.  So you could have returnquery and returnarticle, say, with the latter appending to $wgArticlePath instead of $wgScriptPath.  returnto could be aliased to returnarticle (or just keep the name "returnto", but that's inconsistent in terms of naming).  In this case, you'd want to allow both to be set, since URLs like /wiki/Article_name?action=purge are valid.  Or, you could pass the whole URL and check it for validity, which might be less complicated on the caller's side but also maybe less safe, and maybe harder .

As for the patch, here are some brief comments, without having tested it.  First of all, did you test with pretty URLs?  There are a variety of ways to achieve those, which I'm not sure would all work identically.  I might be wrong, but the patch seems to just assume ugly URLs.

More specific comments:

-		if ( !empty( $this->mReturnTo ) ) {
+		if ( !empty( $this->mReturnQuery ) ) {
+			$wgOut->addReturnQuery( $this->mReturnQuery, $this->mReturnTo );
+		} elseif ( !empty( $this->mReturnTo ) ) {

This issue wasn't added by you, but surely it's erroneous to use empty() here and elsewhere?  The string "0" is a valid article name and a valid query string, but it would be excluded by this.  $var === '' should be used here, and in the other places.

+			$returnquery = '&returnquery=' . wfUrlencode( $this->mReturnQuery );
. . .
+			$attr[] = 'returnquery=' . $this->mReturnQuery;

You seem to be inconsistent here (as, it looks like, was the existing code).  Is $this->mReturnQuery already URL-encoded or not?  It might be a good idea to make it clear if it's already escaped, like calling it mEncReturnQuery if it is and mUnencReturnQuery or something if it's not.  Otherwise it can be pretty confusing.  I think it's not escaped, which would cause few problems with mReturnTo (mainly if the title contains &) but lots of problems with a multipart query string.

+	/**
+	 * Add a "return to" link pointing to the script with the
+	 * specified query string.
+	 * 
+	 * @param $string Query string to append (excluding ?)
+	 */
+	public function addReturnQuery( $query, $title ) {

The parameter list is inconsistent with the documentation.  The documentation should preferably state what sort of encoding the parameters are in.  You require $query to be entity-encoded here -- this is probably wrong, you want to htmlspecialchars() it in the function and accept it non-entity-encoded.  And you want a non-URL-encoded but, again, entity-encoded $title, which is a display title and not a DB-key title.  I would suggest the param descriptions be

@param string $query Unescaped query string to append, excluding the initial ?
@param string $title Unescaped display title string

and fix the code to correctly escape both of them.

+					$wgTitle->isSpecial( 'Preferences' ) ? '' : "returnto={$this->thisurl}" . '&returnquery=' . urlencode( $_SERVER[ 'QUERY_STRING' ] )
. . .
+					'href' => self::makeSpecialUrl( 'Userlogin', 'returnto=' . $this->thisurl . '&returnquery=' . urlencode( $_SERVER[ 'QUERY_STRING' ] ) ),

I'm guessing these will break with magic_quotes enabled.  There should be some way to use $wgRequest or other built-in functions here rather than directly accessing the superglobal.
Comment 15 Robert Leverington 2008-01-27 21:43:33 UTC
Created attachment 4591 [details]
Patch providing full URL path redirection for login and logout

In this patch I have taken into account some of the things pointed out. Instead of just passing the query string forward this patch passes everything after the domain name to the "Return to __" bit, but with security checking to ensure that the path is part of the wiki.

After checking some of the stuff I decided not to rename the variables to Unenc and Enc as getVal() always returns unencoded values. I also changed some of the existing code to fix the bugs stated so far (for example the 0 page not being detected properly).
Comment 16 Robert Leverington 2008-01-27 21:58:18 UTC
Comment on attachment 4591 [details]
Patch providing full URL path redirection for login and logout

This patch has a slight flaw in linking to non-existant pages, needs fixing.
Comment 17 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-01-27 22:35:42 UTC
+		global $wgAuth, $wgArticlePath, $wgScript;

Is $wgScript correct here, or do you want $wgScriptPath?  If you're going to be strict and only allow $wgScript, you exclude redirect.php, api.php, thumb.php, trackback.php, aliases like wiki.phtml and index.php5, . . .

 		# When switching accounts, it sucks to get automatically logged out
 		if( $this->mReturnTo == $wgLang->specialPage( 'Userlogout' ) ) {
-			$this->mReturnTo = '';
+			$this->mReturnTo = null;
+			$this->mReturnPath = null;
 		}

This test might no longer be sufficient.  It might be better to construct a Title object and compare it to SpecialPage::getTitleFor( 'Userlogout' ), or something.  As far as I can see, mReturnTo is actually not used for anything but display, if mReturnPath is set, so you can just send someone to returnto=Main_Page&returnpath=/wiki/Special:Userlogout.

+		if( strpos( str_replace( '$1', '', $wgArticlePath ), $this->mReturnPath ) > 0 || strpos( $wgScript, $this->mReturnPath ) > 0 ) {

Doesn't this return true if both strposes return false, i.e., if the return path doesn't contain either of the strings?  I would think something like this would be desired:

if( strpos( str_replace( '$1', '', $wgArticlePath ), $this->mReturnPath ) !== 0 && strpos( $wgScript, $this->mReturnPath ) !== 0 ) {

This way of doing things (i.e., passing the full URL and checking for validity) makes me sort of uneasy, though, as though we might miss a case.  If it makes Brion feel uneasy he'll revert it.  Maybe you should ask him before committing.  When I think about it, it still does seem best, though.

Perhaps you could dispense with the returnto parameter, and parse the URL to determine the article title to use for display?  It seems cleaner.

+		if ( is_null( $this->mReturnPath ) && !is_null( $this->mReturnTo ) ) {
 			$wgOut->returnToMain( $auto, $this->mReturnTo );
+		} elseif( !is_null( $this->mReturnPath ) ) {
+			$wgOut->addReturnToPath( $this->mReturnPath, $this->mReturnTo );

These comparisons aren't good either, are they?  What if one of them is set to the empty string?  You probably shouldn't try redirecting in that case.  Remember that WebRequest::getVal always returns a string, so you can take '' as the value meaning not to redirect.

You might even do more validation than that, if you like.  You could parse the title out and check validity with Title::newFromURL(), and not print redirects to invalid titles.

+	 * @param String $path Correctly escaped path to link

What does "escaped" mean?  urlencoded, entity-encoded, both?  Actually I think you mean it should be entirely unescaped -- it's the literal URL you're redirecting to.

+	if( strpos( str_replace( '$1', '', $wgArticlePath ), $returnPath ) > 0 || strpos( $wgScript, $returnPath ) > 0 ) {
+		// invalid returnpath, fall back to returnto
+		$returnPath = null;
+	}
+	if ( is_null( $returnPath ) && !is_null( $returnTo ) ) {
+		$wgOut->returnToMain( $auto, $returnTo );
+	} elseif( !is_null( $returnPath ) ) {
+		$wgOut->addReturnToPath( $returnPath, $returnTo );
+	} else {
+		$wgOut->returnToMain( $auto );
+	}

It's not good to duplicate logic like this.  Why don't you add this logic to OutputPage::returnToMain(), adding an extra $query parameter and doing validation there?
Comment 18 Brion Vibber 2009-08-05 16:40:24 UTC
Assigning to Trevor -- didn't you guys set up something like this for usability opt-in? Is this generalized already or does that need to be done still?
Comment 19 Trevor Parscal 2009-08-06 06:18:52 UTC
Roan (catrope) resolved this, or something very darn similar in r53270 - for our own purposes, but the fix should fix a bug that was affecting everyone. Does this look like it solves the problem to anyone else? Can we get this pushed into the deployment branch? Looks like deployment branch only has the equivilant of r52290 with some tweaks.
Comment 20 Trevor Parscal 2009-08-06 18:18:43 UTC
Solved in r53270.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links