(bug 35727) mw.Api ajax() should put token parameter last.

Patch from Russell Blau.

As recommended in [[mw:API:Edit#Token]], the "token" parameter in
a request should always be passed at the end of the query string.
This is a safety measure in case transmission of the HTML request to
the server is interrupted; then the server will not process the
incomplete request because there will be no (complete) token.
(Conversely, if the "text=" parameter were last, the server would have
no way of knowing whether the complete text had been received.)
Presumably the same thing is necessary for action=email, since the
request may include text of arbitrary length.

Change-Id: Id267dd628eb93eb06191c55eb386b1893f499554

diff --git a/CREDITS b/CREDITS
index 89154a3..fd86da8 100644 (file)
--- a/CREDITS
+++ b/CREDITS
@@ -175,6 +175,7 @@ following names for their contribution to the product.
 * rgcjonas
 * Robert Treat
 * RockMFR
+* Russell Blau
 * Rusty Burchfield
 * Salvatore Ingala
 * Scott Colcord

diff --git a/RELEASE-NOTES-1.20 b/RELEASE-NOTES-1.20
index f3e6c7e..26c3b48 100644 (file)
--- a/RELEASE-NOTES-1.20
+++ b/RELEASE-NOTES-1.20
@@ -121,6 +121,7 @@ upgrade PHP if you have not done so prior to upgrading MediaWiki.
 * (bug 24985) Use $wgTmpDirectory as the default temp directory so that people
   who don't have access to /tmp can specify an alternative.
 * (bug 27283) SqlBagOStuff breaks PostgreSQL transactions
+* (bug 35727) mw.Api ajax() should put token parameter last.
 
 === API changes in 1.20 ===
 * (bug 34316) Add ability to retrieve maximum upload size from MediaWiki API.

diff --git a/resources/mediawiki.api/mediawiki.api.js b/resources/mediawiki.api/mediawiki.api.js
index 225093b..74306d5 100644 (file)
--- a/resources/mediawiki.api/mediawiki.api.js
+++ b/resources/mediawiki.api/mediawiki.api.js
@@ -128,14 +128,23 @@
                 * @return {jqXHR}
                 */
                ajax: function( parameters, ajaxOptions ) {
+                       var token;
                        parameters = $.extend( {}, this.defaults.parameters, parameters );
                        ajaxOptions = $.extend( {}, this.defaults.ajax, ajaxOptions );
 
+                       // Ensure that token parameter is last (per [[mw:API:Edit#Token]]).
+                       if ( parameters.token ) {
+                               token = parameters.token;
+                               delete parameters.token;
+                       }
                        // Some deployed MediaWiki >= 1.17 forbid periods in URLs, due to an IE XSS bug
                        // So let's escape them here. See bug #28235
                        // This works because jQuery accepts data as a query string or as an Object
                        ajaxOptions.data = $.param( parameters ).replace( /\./g, '%2E' );
-
+                       // If we extracted a token parameter, add it back in.
+                       if ( token ) {
+                               ajaxOptions.data += '&token=' + encodeURIComponent( token );
+                       }
                        ajaxOptions.error = function( xhr, textStatus, exception ) {
                                ajaxOptions.err( 'http', {
                                        xhr: xhr,