[MediaWiki-commits] [Gerrit] Simplify handling of API POST requests - change (mediawiki...OAuth)

[CSteipp (Code Review)]

CSteipp has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/77254


Change subject: Simplify handling of API POST requests
......................................................................

Simplify handling of API POST requests

Instead of restricting the content type, and trying to parse the params
in the OAuth code, just rely on MediaWiki's parameter handling. This
seems to work better with php/curl clients, that multi-part encode
everything.

The risk is that an attacker could MITM the post call, and modify the
request in a way that the user didn't intend, but when we decode it and
use the param, we don't detect the change in the signature. However,
handling should give a more accurate representation of how MediaWiki
interprets the parameters, so is likely more safe than doing the decode
ourselves.

Change-Id: Ia8bafe5defd442c76143e71f0139e28ed87c289b
---
M backend/MWOAuthRequest.php
1 file changed, 4 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth 
refs/changes/54/77254/1

diff --git a/backend/MWOAuthRequest.php b/backend/MWOAuthRequest.php
index f5fa6be..4bb547b 100644
--- a/backend/MWOAuthRequest.php
+++ b/backend/MWOAuthRequest.php
@@ -41,16 +41,10 @@
                // Parse the query-string to find GET parameters
                $parameters = $request->getQueryValues();
 
-               // It's a POST request of the proper content-type, so parse POST
-               // parameters and add those overriding any duplicates from GET
-               if ( $request->wasPosted()
-                       && isset( $requestHeaders['Content-Type'] )
-                       && strpos(
-                               $requestHeaders['Content-Type'],
-                               'application/x-www-form-urlencoded'
-                       ) === 0
-               ) {
-                       $postData = $request->getPostValues();
+               // Keep things simple and let MediaWiki handle param decoding, 
instead of
+               // restricting to specific content-type and parsing the 
parameters ourselves
+               if ( $request->wasPosted() ) {
+                       $postData = $request->getValues();
                        $parameters = array_merge( $parameters, $postData );
                }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/77254
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia8bafe5defd442c76143e71f0139e28ed87c289b
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: master
Gerrit-Owner: CSteipp <cste...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits