If I am up to date here, the fix that exists in trunk for the API-handling code is still not going to help us. It merely excludes highly improbable "extensions" like ".jpg&foo=bar&quux=blarg".
But, what if your query arguments *legitimately* end with an extension like "http://en.wikipedia.org/w/api.php?action=doSomething&page=File:Something..." ? You can't depend on query argument order.
The only solution is to encode our queryargs differently.
So, in the last deploy I deployed a workaround for this in UploadWizard. At the last stage before firing the AJAX query I convert any '.' in the query data to '%2E'.
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/90649
This won't trigger any bizarre bugs in IE6 and your code (if properly written) should never know anything happened. We could advise other consumers of our API to do the same.
BTW, this is a fairly tricky fix as it relies on certain quirks of jQuery 1.3, which is what we have deployed. Also, it was easier for me to deploy this fix for UW because all its ajax calls go through an API object.
In jQuery 1.4 you can fix this in a more standardized way, with ajax filters.
Of course it would be better if we just fixed the XSS prevention somehow, but I don't see how that's possible given the constraints.
On 7/3/11 1:09 PM, Ryan Kaldari wrote:
That means that the Make Your Own feature in WikiLove and some of the features in UploadWizard are broken for almost half our users. Is there any way to deploy that fix sooner than Thursday? Alternately, could we do a live fix by changing "MSIE" to "MSIE 6" on the cluster? (I have no idea if that is totally insane or a reasonable suggestion.)
Ryan Kaldari
On 7/3/11 12:46 PM, Roan Kattouw wrote:
On Sun, Jul 3, 2011 at 9:13 PM, Ryan Kaldarirkaldari@wikimedia.org wrote:
No, he's using IE8 and it does send his User Agent header: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB7.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C)
Are there any other reasons why someone would be rejected from the API?
Ah yes, the IE6 detection code just looks for "MSIE" in the User-Agent header :D
This'll all be fixed when I deploy the new code for dealing with the IE6 issue. I will probably do this on Thursday.
Roan Kattouw (Catrope)
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l