On Sat, Aug 17, 2019 at 2:38 AM Ran Ari-Gur <ran.arigur(a)gmail.com> wrote:
Does this mean that if a client doesn't set the
Content-Type header, and
it sends some parameters in the URI query string and some parameters in the
HTTP request body, then the latter are now sometimes ignored (and
eventually will always be ignored)?
Yes, it does.
If so, then this is a bit worrisome, in that
safety-checks like
starttimestamp=... and assertuser=1 wouldn't do their jobs, so actions
might go through that aren't supposed to.
Since the "token" parameter is required to be in the POST body, the action
should fail due to that being missing if the "action" parameter is in the
query string.
Is it possible for MediaWiki to detect that there was
a message body but
no Content-Type, and return an explicit error in that case?
It should be possible to detect a POST with no Content-Type, that's a good
idea. I doubt there's much point in trying to differentiate the rare case
of a POST with an empty body, particularly since the client should still be
including the content type even with that.
I filed
https://phabricator.wikimedia.org/T230735 with the suggestion.
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation