As was previously announced, passing the lgpassword or lgtoken parameters
to action=login in the query string rather than the POST body will begin to
return an error starting with 1.29.0-wmf.13. See
for the deployment
On Mon, Oct 31, 2016 at 2:44 PM, Brad Jorsch (Anomie) <bjorsch(a)wikimedia.org
> Over the past 30 days, there has been exactly one hit to
> action=clientlogin with sensitive data in the query string, and none to
> action=createaccount, action=linkaccount, and action=changeauthenticationdata.
> Beginning in 1.29.0-wmf.1 (to be deployed this week) these actions will now
> begin throwing errors if sensitive fields are included in the query string.
> Over the past 30 days, logins have been attempted via action=login for 28
> different user names with sensitive data (lgpassword or lgtoken) in the
> query string. This will continue to work for now; my current plan is to
> turn that warning into an error on February 15, 2017.
> : I can't post the list publicly at this time. If you want to know if
> you're one of the 28, put your user agent into https://meta.wikimedia.org/
> wiki/Special:ApiFeatureUsage and look for "login-params-in-query-string".
> On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie) <
>> For improved safety, passwords and other sensitive fields for
>> authentication should not be included in the request URI during a POST.
>> Instead, they should be in the POST body where they are less likely to be
>> included in log files. With the merge of Gerrit change 305545, the API
>> will now produce a warning if such fields are detected in the URI. This
>> should be deployed to WMF wikis with 1.28.0-wmf.16, see
for the schedule.
>> This affects the following modules and fields:
>> * action=login: 'lgpassword'
>> * action=clientlogin, action=createaccount, action=linkaccount, and
>> action=changeauthenticationdata: Any fields reported as "sensitive" by
>> action=query&meta=authmanagerinfo or by UI or REDIRECT responses.
>> Currently, this affects the 'password' and 'retype' fields.
>> The 'lgtoken' field for action=login will now also issue a warning if
>> placed in the request URI. The error code for other tokens being in the
>> request URI has changed from 'mustposttoken' to
>> To check if your client's user agent is detected making such submissions,
>> you can also use ApiFeatureUsage and look for
>> '<action>-params-in-query-string' once 1.28.0-wmf.16 is rolled out
>> wikis your client is logging in to.
>> It is planned that these warnings will be changed to errors during 1.29.
>> Let's avoid having a repeat of T142155, update your code ASAP instead of
>> waiting until it breaks. Thanks.
>> : https://gerrit.wikimedia.org/r/#/c/305545/
>> : https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
>> : https://phabricator.wikimedia.org/T142155
>> Brad Jorsch (Anomie)
>> Senior Software Engineer
>> Wikimedia Foundation
> Brad Jorsch (Anomie)
> Senior Software Engineer
> Wikimedia Foundation
Brad Jorsch (Anomie)
Senior Software Engineer