From: Brad Jorsch Date: Sun, 17 Jun 2012 04:11:32 +0000 (-0400) Subject: (bug 35727) mw.Api ajax() should put token parameter last. X-Git-Tag: 1.31.0-rc.0~23278^2 X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22lang_raccourcis%22%2C%22module=%24nom_module%22%29%20.%20%22?a=commitdiff_plain;h=39f09f3664e4393cb04a502780451df9f89541a8;p=lhc%2Fweb%2Fwiklou.git (bug 35727) mw.Api ajax() should put token parameter last. Patch from Russell Blau. As recommended in [[mw:API:Edit#Token]], the "token" parameter in a request should always be passed at the end of the query string. This is a safety measure in case transmission of the HTML request to the server is interrupted; then the server will not process the incomplete request because there will be no (complete) token. (Conversely, if the "text=" parameter were last, the server would have no way of knowing whether the complete text had been received.) Presumably the same thing is necessary for action=email, since the request may include text of arbitrary length. Change-Id: Id267dd628eb93eb06191c55eb386b1893f499554 --- diff --git a/CREDITS b/CREDITS index 89154a3cd5..fd86da8fcd 100644 --- a/CREDITS +++ b/CREDITS @@ -175,6 +175,7 @@ following names for their contribution to the product. * rgcjonas * Robert Treat * RockMFR +* Russell Blau * Rusty Burchfield * Salvatore Ingala * Scott Colcord diff --git a/RELEASE-NOTES-1.20 b/RELEASE-NOTES-1.20 index f3e6c7ecbf..26c3b48477 100644 --- a/RELEASE-NOTES-1.20 +++ b/RELEASE-NOTES-1.20 @@ -121,6 +121,7 @@ upgrade PHP if you have not done so prior to upgrading MediaWiki. * (bug 24985) Use $wgTmpDirectory as the default temp directory so that people who don't have access to /tmp can specify an alternative. * (bug 27283) SqlBagOStuff breaks PostgreSQL transactions +* (bug 35727) mw.Api ajax() should put token parameter last. === API changes in 1.20 === * (bug 34316) Add ability to retrieve maximum upload size from MediaWiki API. diff --git a/resources/mediawiki.api/mediawiki.api.js b/resources/mediawiki.api/mediawiki.api.js index 225093b36b..74306d5c68 100644 --- a/resources/mediawiki.api/mediawiki.api.js +++ b/resources/mediawiki.api/mediawiki.api.js @@ -128,14 +128,23 @@ * @return {jqXHR} */ ajax: function( parameters, ajaxOptions ) { + var token; parameters = $.extend( {}, this.defaults.parameters, parameters ); ajaxOptions = $.extend( {}, this.defaults.ajax, ajaxOptions ); + // Ensure that token parameter is last (per [[mw:API:Edit#Token]]). + if ( parameters.token ) { + token = parameters.token; + delete parameters.token; + } // Some deployed MediaWiki >= 1.17 forbid periods in URLs, due to an IE XSS bug // So let's escape them here. See bug #28235 // This works because jQuery accepts data as a query string or as an Object ajaxOptions.data = $.param( parameters ).replace( /\./g, '%2E' ); - + // If we extracted a token parameter, add it back in. + if ( token ) { + ajaxOptions.data += '&token=' + encodeURIComponent( token ); + } ajaxOptions.error = function( xhr, textStatus, exception ) { ajaxOptions.err( 'http', { xhr: xhr,