Last modified: 2011-04-22 10:48:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T28603, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 26603 - Un-escaped characters in login "returnto" parameter


Summary:	Un-escaped characters in login "returnto" parameter

Status:	RESOLVED FIXED

Product:	MediaWiki
Classification:	Unclassified
Component:	User login and signup (Other open bugs)
Version:	1.18.x
Hardware:	All All

Importance:	High normal (vote)
Target Milestone:	---
Assigned To:	Roan Kattouw

URL:
Whiteboard:
Keywords:

Duplicates:	26604 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-01-06 09:36 UTC by Gregor Hagedorn
Modified:	2011-04-22 10:48 UTC (History)
CC List:	5 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Gregor Hagedorn 2011-01-06 09:36:20 UTC

While normally the "&" in a title is correctly escaped, in the case of signing in from such a page, the URL created contains a non-escaped "&". Example:

http://offene-naturfuehrer.de/w/index.php?title=Spezial:Anmelden&returnto=Schl%C3%BCssel_zu_den_Familien_der_B%C3%A4rlapppflanzen_und_Farne_in_Deutschland_%28H.W._Bennert_&_K._Horn%29

Note the non-escaped "_&_" at the end.

Comment 1 Gregor Hagedorn 2011-01-06 09:37:16 UTC

Forgot the SVN: tested under r79596

Comment 2 Roan Kattouw 2011-01-06 10:28:17 UTC

*** Bug 26604 has been marked as a duplicate of this bug. ***

Comment 3 Gregor Hagedorn 2011-01-06 11:57:10 UTC

According to bug 26604 the same applies to the "+" character.

Comment 4 Roan Kattouw 2011-02-16 10:51:22 UTC

I tried reproducing this on trunk, but the ampersand and plus get escaped fine.

Comment 5 Gregor Hagedorn 2011-02-16 11:09:39 UTC

I confirm, cannot reproduce it on r82189 any more. Someone seems to have fixed this "accidentially"...

Comment 6 Gregor Hagedorn 2011-02-16 11:15:07 UTC

Error is still present, reopening.

The duplicate bug 26604 describes it better than the description here.

The error requires the sequence: 

1 being signed in on a page
2. sign out
3 on confirm page, go to the top right login box (not the login on the logout message itself, which does NOT contain a return-to)

the return-to in the login in the top right corner reveals already as a URL that the return-to parameter is now unescaped.

Comment 7 Roan Kattouw 2011-02-16 11:16:18 UTC

(In reply to comment #6)
> Error is still present, reopening.
> 
> The duplicate bug 26604 describes it better than the description here.
> 
> The error requires the sequence: 
> 
> 1 being signed in on a page
> 2. sign out
> 3 on confirm page, go to the top right login box (not the login on the logout
> message itself, which does NOT contain a return-to)
> 
> the return-to in the login in the top right corner reveals already as a URL
> that the return-to parameter is now unescaped.
Have you tried actually clicking the link? Firefox hides the escaping for me, which is confusing, but does apply it.

Comment 8 Roan Kattouw 2011-02-16 11:17:04 UTC

(In reply to comment #7)
> Have you tried actually clicking the link? Firefox hides the escaping for me,
> which is confusing, but does apply it.

Whoops, spoke too soon. You're right, it's not escaped.

Comment 9 Roan Kattouw 2011-02-20 19:59:16 UTC

Fixed a while ago in r82232

Comment 10 Liangent 2011-03-09 05:47:33 UTC

Now it's double-escaped. In HTML it becomes something like %25E7%2589%25B9%25E6%25AE%258A

Comment 11 Gregor Hagedorn 2011-03-09 08:46:52 UTC

(In reply to comment #10)
> Now it's double-escaped. In HTML it becomes something like
> %25E7%2589%25B9%25E6%25AE%258A

Please describe exactly in which action sequence you see that. It seems escaped in multiple places, and behave differently depending on the order of actions.

Comment 12 Liangent 2011-03-09 11:48:00 UTC

(In reply to comment #11)
> (In reply to comment #10)
> > Now it's double-escaped. In HTML it becomes something like
> > %25E7%2589%25B9%25E6%25AE%258A
> 
> Please describe exactly in which action sequence you see that. It seems escaped
> in multiple places, and behave differently depending on the order of actions.

I pointed out the buggy logic in code review of r82232.

Comment 13 Roan Kattouw 2011-04-22 10:48:21 UTC

(In reply to comment #12)
> I pointed out the buggy logic in code review of r82232.
Fixed in r86697. Apologies for the delay.

Note You need to log in before you can comment on or make changes to this bug.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links