Last modified: 2012-02-22 12:35:15 UTC
Due to the security fix (bug 28534, bug 28639) all ajax calls with a '.' have problems in IE:
- It is not possible to watch/unwatch a page with '.' (like skin.js/.css)
- Search suggestion shows no pages, if you search for a page with '.'
- the link insertion dialog (Extension WikiEditor) give no suggestion for links with a '.'
- Encode the '.' in ajax requests (%2E)
- allow at least one '&' behind the '.' That does not helps for all ajax calls, but some of them.
This is not bug 28840, because the bug tracks the problems with the ressource loader (stylesheets, scripts).
Assigning this to Tim, making it 1.17 blocker, and adding to triage so I can make sure I am not insane.
Perhaps someone with access to the logs could check to see how many 403 requests are returned due to the dot thing, just to see how widespread the problem is.
Increase severity after one week.
I think this was fixed by r87711 which was a fix for bug 28840.
CC-ing Roan/Catrope to confirm.
(In reply to comment #4)
> I think this was fixed by r87711 which was a fix for bug 28840.
> CC-ing Roan/Catrope to confirm.
No, it doesn't fix this.
I don't suppose there's some magic way to change how jQuery urlencodes ajax parameters to force dots to be urlencoded (per comment 0)? In my testing, that would fix much of these issues.
(btw, for reference the original security bug is bug 28235. I'm just writing that here because bugzilla search is a pain and I always have trouble finding it).
I'm also marking this depends on bug 28840, not sure if that's right, but the two issues are highly related.
I have written a patch that will provide an easy workaround for these requests and sent it to Tim (by private e-mail, because it's about a security issue) for review.
*** This bug has been marked as a duplicate of bug 28840 ***