Last modified: 2012-02-22 12:35:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 28962 - ajax calls with '.' not working in IE
ajax calls with '.' not working in IE
Status: RESOLVED DUPLICATE of bug 28840
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
All All
: Highest major (vote)
: ---
Assigned To: Tim Starling
Depends on: 28840
Blocks: 26676
  Show dependency treegraph
Reported: 2011-05-13 19:31 UTC by db [inactive,noenotif]
Modified: 2012-02-22 12:35 UTC (History)
4 users (show)

See Also:
Web browser: Internet Explorer
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description db [inactive,noenotif] 2011-05-13 19:31:05 UTC
Due to the security fix (bug 28534, bug 28639) all ajax calls with a '.' have problems in IE:

- It is not possible to watch/unwatch a page with '.' (like skin.js/.css)
- Search suggestion shows no pages, if you search for a page with '.'
- the link insertion dialog (Extension WikiEditor) give no suggestion for links with a '.'

- Encode the '.' in ajax requests (%2E)
- allow at least one '&' behind the '.' That does not helps for all ajax calls, but some of them.


This is not bug 28840, because the bug tracks the problems with the ressource loader (stylesheets, scripts).
Comment 1 Mark A. Hershberger 2011-05-13 22:20:30 UTC
Assigning this to Tim, making it 1.17 blocker, and adding to triage so I can make sure I am not insane.
Comment 2 Bawolff (Brian Wolff) 2011-05-14 03:19:50 UTC
Perhaps someone with access to the logs could check to see how many 403 requests are returned due to the dot thing, just to see how widespread the problem is.
Comment 3 db [inactive,noenotif] 2011-05-20 20:46:43 UTC
Increase severity after one week.
Comment 4 Krinkle 2011-05-21 16:13:23 UTC
I think this was fixed by r87711 which was a fix for bug 28840.

CC-ing Roan/Catrope to confirm.
Comment 5 Bawolff (Brian Wolff) 2011-05-21 17:50:43 UTC
(In reply to comment #4)
> I think this was fixed by r87711 which was a fix for bug 28840.
> CC-ing Roan/Catrope to confirm.

No, it doesn't fix this.

I don't suppose there's some magic way to change how jQuery urlencodes ajax parameters to force dots to be urlencoded (per comment 0)? In my testing, that would fix much of these issues.

(btw, for reference the original security bug is bug 28235. I'm just writing that here because bugzilla search is a pain and I always have trouble finding it).

I'm also marking this depends on bug 28840, not sure if that's right, but the two issues are highly related.
Comment 6 Roan Kattouw 2011-05-21 19:17:06 UTC
I have written a patch that will provide an easy workaround for these requests and sent it to Tim (by private e-mail, because it's about a security issue) for review.
Comment 7 Mark A. Hershberger 2011-05-26 18:54:42 UTC

*** This bug has been marked as a duplicate of bug 28840 ***

Note You need to log in before you can comment on or make changes to this bug.