Page MenuHomePhabricator
Create Task
Maniphest T285464

HTMLForms using POST might be broken if the form action is a URL containing "?title="
Open, Needs TriagePublicBUG REPORT
Actions

Description

Discovered for AbuseFilter (Special:AbuseFilter/import) while testing apache builds in CI (example).

The form has the action set to the full URL of Special:AbuseFilter/new, where it POSTs the import data. If this url uses the ?title= variant (e.g. 127.0.0.1:9413/index.php?title=Special:AbuseFilter/new), as opposed to e.g. //localhost/pedia/index.php/Special:AbuseFilter/new, submitting the form will leave the user on the import page.

This happens because the form has a hidden title input whose value is Special:AbuseFilter/import, and this takes precedence over the query string in the action.

You can easily reproduce this bug by:

  • Going to Special:AbuseFilter/import
  • Manually changing the form action to use the "title=" variant
  • Add any text into the field and submit

In particular, an exception will be thrown due to HTMLForm mishandling, but the root cause is that we're actually showing the wrong special page (/import).

I think one possible fix might be to conditionally set the title input like we do for GET forms, see here. I'm not very familiar with HTMLForm though, so deferring to someone else.

Details

SubjectRepoBranchLines +/-
HTMLForm: Disallow setting internal field namesmediawiki/coremaster+22 -1
HTMLForm: Add title field if the action is overridden to script pathmediawiki/coremaster+8 -13
ViewRevert: Adjust use cases of HTMLFormmediawiki/extensions/AbuseFiltermaster+13 -41
ViewImport/ViewList: Use setTitle instead of addHiddenField/setActionmediawiki/extensions/AbuseFilterREL1_36+3 -6
ViewImport/ViewList: Use setTitle instead of addHiddenField/setActionmediawiki/extensions/AbuseFiltermaster+3 -6
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Jun 24 2021, 10:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 24 2021, 10:53 AM
kostajh subscribed.Jun 24 2021, 11:04 AM
matmarex subscribed.Jun 24 2021, 12:39 PM

I'm not sure where the relevant code is in AbuseFilter, there's a lot of forms there…

Does the problem still occur if you replace the calls to addHiddenField() and setAction() with a call to setTitle()?

Daimona added a comment.Jun 24 2021, 1:15 PM
In T285464#7175000, @matmarex wrote:

I'm not sure where the relevant code is in AbuseFilter, there's a lot of forms there…

The AbuseFilter one is here -- a fairly simple one.

Does the problem still occur if you replace the calls to addHiddenField() and setAction() with a call to setTitle()?

The addHiddenField thing happens in HTMLForm::getHiddenFields and there seems to be no way around it. OTOH, if I use setTitle instead of setAction it works. This might resolve the immediate problem, but not the whole thing IMHO. I think this should be either documented or, better, fixed.

kostajh added a parent task: T276428: Introduce non-voting jobs with quibble+apache.Jul 2 2021, 7:33 AM
kostajh mentioned this in T276428: Introduce non-voting jobs with quibble+apache.
gerritbot added a comment.Jul 2 2021, 10:11 AM

Change 702903 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/AbuseFilter@master] ViewList: Use setTitle instead of addHiddenField/setAction

https://gerrit.wikimedia.org/r/702903

gerritbot added a project: Patch-For-Review.Jul 2 2021, 10:11 AM

Change 702904 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/Wikibase@master] [DNM] Test for T285464

https://gerrit.wikimedia.org/r/702904

gerritbot added a comment.Jul 2 2021, 12:27 PM

Change 702903 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] ViewImport/ViewList: Use setTitle instead of addHiddenField/setAction

https://gerrit.wikimedia.org/r/702903

kostajh closed this task as Resolved.Jul 2 2021, 12:28 PM
kostajh claimed this task.

Thanks for the tips @matmarex & for the code review @Daimona.

Daimona reopened this task as Open.Jul 2 2021, 12:31 PM
Daimona removed kostajh as the assignee of this task.
Daimona removed a project: Patch-For-Review.

@kostajh I'd like to keep this task open since I feel that other might fall for this bug. HTMLForm should either not let you set an action that is not going to work (or at least document that), or avoid setting the title param if the action already has it.

Daimona removed a parent task: T276428: Introduce non-voting jobs with quibble+apache.Jul 2 2021, 12:31 PM
kostajh added a comment.Jul 2 2021, 12:44 PM
In T285464#7193565, @Daimona wrote:

@kostajh I'd like to keep this task open since I feel that other might fall for this bug. HTMLForm should either not let you set an action that is not going to work (or at least document that), or avoid setting the title param if the action already has it.

Ah, yeah fair enough. Thanks @Daimona.

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.14; 2021-07-12).Jul 2 2021, 1:00 PM
gerritbot added a comment.Feb 6 2022, 4:56 PM

Change 759955 had a related patch set uploaded (by Umherirrender; author: Kosta Harlan):

[mediawiki/extensions/AbuseFilter@REL1_36] ViewImport/ViewList: Use setTitle instead of addHiddenField/setAction

https://gerrit.wikimedia.org/r/759955

gerritbot added a project: Patch-For-Review.Feb 6 2022, 4:56 PM
Umherirrender mentioned this in T299978: AbuseFilter 1.36 selenium test failures.Feb 6 2022, 5:07 PM
gerritbot added a comment.Feb 6 2022, 7:07 PM

Change 759955 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_36] ViewImport/ViewList: Use setTitle instead of addHiddenField/setAction

https://gerrit.wikimedia.org/r/759955

gerritbot added a comment.Mar 18 2022, 11:15 AM

Change 761091 had a related patch set uploaded (by Func; author: Func):

[mediawiki/core@master] HTMLForm: Disallow setting internal field names

https://gerrit.wikimedia.org/r/761091

gerritbot added a comment.Mar 20 2022, 3:13 PM

Change 772026 had a related patch set uploaded (by Func; author: Func):

[mediawiki/extensions/AbuseFilter@master] ViewRevert: Adjust use cases of HTMLForm

https://gerrit.wikimedia.org/r/772026

gerritbot added a comment.Mar 20 2022, 5:35 PM

Change 772026 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] ViewRevert: Adjust use cases of HTMLForm

https://gerrit.wikimedia.org/r/772026

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.1; 2022-03-21-early).Mar 20 2022, 6:00 PM
gerritbot added a comment.Mar 25 2022, 12:59 PM

Change 772013 had a related patch set uploaded (by Func; author: Func):

[mediawiki/core@master] HTMLForm: Add title field if the action is overridden to script path

https://gerrit.wikimedia.org/r/772013

gerritbot added a comment.Mar 27 2022, 10:50 AM

Change 772013 merged by jenkins-bot:

[mediawiki/core@master] HTMLForm: Add title field if the action is overridden to script path

https://gerrit.wikimedia.org/r/772013

ReleaseTaggerBot edited projects, added MW-1.39-notes (1.39.0-wmf.5; 2022-03-28); removed MW-1.39-notes (1.39.0-wmf.1; 2022-03-21-early).Mar 27 2022, 11:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits