Last modified: 2014-03-18 01:39:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T41830, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 39830 - Insufficient param validation
Insufficient param validation
Status: PATCH_TO_REVIEW
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.20.x
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 22510
  Show dependency treegraph
 
Reported: 2012-08-31 07:28 UTC by Niklas Laxström
Modified: 2014-03-18 01:39 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Niklas Laxström 2012-08-31 07:28:52 UTC 
LQT has the following declaration:

'type' => array (
	ApiBase :: PARAM_DFLT => 'newthreads',
	ApiBase :: PARAM_TYPE => array( 'replies', 'newthreads' ),
	ApiBase :: PARAM_ISMULTI => true,
),

With invalid input the value of 'type' is array(). This is unexpected. It should either complain that the value(s) are not one of the allowed values (preferred), or use the default value 'newthreads' (less preferred). PARAM_ISMULTI seems to bypass the regular checks.

This causes exceptions in other code in LiquidhThreads which excepts that the values are sane. I believe this is an issue that should be fixed in core.
Comment 1 Umherirrender 2012-08-31 14:38:01 UTC 
A wrong value is removed from the values and a empty array is threated like a valid value. For core you can see this with prop=revisions. When giving an empty rvprop= or a rvprop= with wrong value, that results in the same output, because no of the properties are requested. Requesting no properties makes no sense, but is valid at the moment (no need for b/c).

In my opinion is there no problem, because it is not required that a value must be set and than the empty value is ok.

But setting PARAM_REQUIRED = true has no effect. That is the bug, in my opinion.
Comment 2 Umherirrender 2013-03-09 18:31:53 UTC 
(In reply to comment #1)

> But setting PARAM_REQUIRED = true has no effect. That is the bug, in my
> opinion.

Commited Gerrit change #52987 for this
Comment 3 Umherirrender 2013-03-14 18:30:46 UTC 
(In reply to comment #2)
Commited Gerrit change #52987 for this

Abandoned for the moment, does not work as aspected.
Comment 4 Andre Klapper 2013-03-20 14:53:45 UTC 
Still there is a patch in gerrit that somebody could pick up, hence restoring patch-in-gerrit,  keyword.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links