Re: HTTP interaction with MW?

On Fri, Mar 31, 2006 at 11:54:35AM -0800, Rich Morin wrote:
> I'm looking into writing an script to (login and) edit MW page
> content, via HTTP.  Is there a sample script that anyone can
> recommend?  Alternatively, is there any documentation on how MW
> handles login sessions (eg, what cookies it sets), etc?

Have you looked at the pywikipediabot library for python?

Cheers,
-- jra
--

-- 
Jay R. Ashworth                                                jra@...
Designer                          Baylink                             RFC 2100
Ashworth & Associates        The Things I Think                        '87 e24
St Petersburg FL USA      http://baylink.pitas.com             +1 727 647 1274

     A: Because it messes up the order in which people normally read text.
     Q: Why is top-posting such a bad thing? 

     A: Top-posting.
     Q: What is the most annoying thing on Usenet and in e-mail?

Subversion

Since SourceForge's developer CVS has been down for a couple days solid, I've
gone ahead and set up our own source control server.

The repo is now running on Subversion, and for the moment is running on my
offsite server (along with the wikitech server work status wiki). We may later
move it onto one of Wikimedia's servers.

The repo includes all revisions and branches from the old CVS archive, and
anonymous access will be immediate unlike the delay after commits that we had on
CVS.

I've whipped up a few quick notes here:
http://www.mediawiki.org/wiki/Subversion

At the moment only myself and avar have commit access, but I can add more people
shortly once we have it better set up. Commit notifications by email and IRC are
working; the viewcvs-ish thing isn't quite working yet.

[No this is not an April Fool's joke. The surprise outage due to hardware
failure on SourceForge's CVS server has seriously cramped our ability to work
the last couple days, so I moved up the schedule a little.]

-- brion vibber (brion  <at>  pobox.com)

_______________________________________________
Wikitech-l mailing list
Wikitech-l@...
http://mail.wikipedia.org/mailman/listinfo/wikitech-l

Extension problem

I run a MediaWiki-based site, and I am working on writing an  
extension, of the type that adds an XML-style tag which is processed  
by a callback. On first inspection it works fine, but if a page  
includes multiple templates, each of which contains an instance of  
the extension's tag, then only the last one displays correctly, and  
all the others appear as a long string starting with UNIQ and  
followed by mostly-random-looking data (but also containing the tag's  
name in the middle).

I can only find a brief reference to this issue (or a similar- 
sounding one), at <http://meta.wikimedia.org/wiki/ 
MediaWiki_extensions_FAQ#Templates_with_extension_tags>, but I don't  
understand what the fix is. I'm running the latest versions of  
MediaWiki and PHP. What am I doing wrong?

Re: Extension problem

I forgot to mention that this only happens when the extension calls  
$wgOut->parse(). If I comment out those bits, the extension works  
fine, even when a page includes multiple templates invoking it.

Specialpages and overdue note

I must be completely stupid, but I can't seem to create a special page for
mediawiki 1.5.8 following any flavor of the instructions on Meta - Help!!!

On another note, I had previously been all excited about this theory that
spam would tend to be a lot of urls posted in a wiki (or accross several
wikis) and that posts of individual urls would be more likely to be
legitimate.  After mangling some data (an long overdue thatnks, Brion, for
the link to the catpcha log data) I quickly came to the conclusion that this
theory wasn't going to be useful - plenty of spam of one or two urls, and
some mulitple posts of legitimate urls.  Oh well... the captcha thing is a
great solution though.

So, if someone could steer me in the right direction on the special pages,
I'd be very grateful.

Thanks,
Aerik

Re: Specialpages and overdue note

On 02/04/06, Aerik Sylvan <aerik@...> wrote:
> I must be completely stupid, but I can't seem to create a special page for
> mediawiki 1.5.8 following any flavor of the instructions on Meta - Help!!!

Exactly what are you having trouble with? I presume you're writing an extension?

Rob Church

Re: Towards arbitrary client-side JavaScript execution

> > * Why does MediaWiki ever allow unescaped ">" characters? This
> > behaviour seem to increase the chances of a JavaScript security
> > problem.
>
> It doesn't, modulo uncaught bugs.

Well, all I can tell you is that this is the behaviour that I observe.

But you don't have to take my word for it; see for yourself here:
* Unescaped ">" characters in the HTML output:
http://nickj.org/MediaWiki/Parser11
* Wiki Source: http://nickj.org/Special:Export/MediaWiki/Parser11
* Site is running MediaWiki 1.5.6: http://nickj.org/Special:Version

Note that I'm looking at the Parser purely from a black-box-testing
perspective: I give it certain input, and observe what it does. I'm
not looking at it from a source-code or design-level perspective (i.e.
what it should do). Then as a human, I automatically try to spot the
patterns in the behaviour that I observe, and from that construct a
mental model that explains what the Parser is doing. And currently
that says: the ">" character does not appear to be escaped until after
the "<" character is used.

Disclaimer: I have modified the MediaWiki source of this installation
a little, but only to add limited ACLs, and change 2 or 3 minor things
in the default page layout that I disliked. As far as I am aware,
nothing that I have changed will modify the behaviour of the Parser
(but of course, I could be wrong).

> This is thanks to the wacky multi-pass parser. As a quick hack-around:

Re: Towards arbitrary client-side JavaScript execution

Nick Jenkins wrote:
>>> * Why does MediaWiki ever allow unescaped ">" characters? This
>>> behaviour seem to increase the chances of a JavaScript security
>>> problem.
>> It doesn't, modulo uncaught bugs.
> 
> Well, all I can tell you is that this is the behaviour that I observe.

That's why they're called "bugs".

> Question: will this break wikis with $wgRawHtml on? (Used to embed
> arbitrary HTML.)

Arbitrary HTML, by being arbitrary, does not have attribute normalization
applied to it.

> Instead, we now have one article, and one template. For the template
> (call it "Template:OpenTag") we have:
> ------------------------------------
> {| BGCOLOR=<span style="font-weight: bold;">
> ------------------------------------
> 
> Then in the article we have:
> ------------------------------------
> {{OpenTag}}
> ------------------------------------
> 
> Which now renders as this HTML output:
> ------------------------------------
> <p>>>>>>

Re: Towards arbitrary client-side JavaScript execution

> Are you keeping up to date with the code?

Probably not!

Let me see if I can repo with latest stable, 1.5.8:

# wget -q http://superb.dl.sourceforge.net/sourceforge/wikipedia/mediawiki-1.5.8.tar.gz
# tar zfx mediawiki-1.5.8.tar.gz
# mv wiki old-wiki
# mv mediawiki-1.5.8 wiki
# cp old-wiki/LocalSettings.php wiki

[[UsesOpenTag]] contains:
----------------------------
>>>>>>>
{{OpenTag}}
>>>>>>>
----------------------------

Output is:
----------------------------
<p>>>>>>>>

</p>
<table bgcolor="<span">

>>>>>>>
</table>
----------------------------

Re: Towards arbitrary client-side JavaScript execution

Nick Jenkins wrote:
> So I get the same behaviour with 1.5.8 - which I believe is the most
> up to date released version that I can get.

That's before the fixes checked in on head (which will go into 1.5.9 also).

> Exactly how "up to date" do you mean? If you're talking CVS-checkout
> up-to-date, then no, I'm not up to date. But neither are most people,
> I daresay. What I'm personal interested in is the behaviour of
> released available-now production-ready-here-and-now
> latest-and-greatest-stable-version software, for the simple reason
> that that's the software I know I'll use.

That'd be 1.6.0 as of tomorrow or shortly thereafter.

> However, undeterred, I checked out from CVS following the cvs checkout
> instructions on http://www.mediawiki.org/wiki/Download_from_CVS :

We're junking CVS due to longtime problems and a total outage for the last few
days; grab current code from Subersion.
http://www.mediawiki.org/wiki/Subversion

> Completely ignoring the directions, I tried to use it anyway, but got
> various errors. No big surprise, but it didn't hurt to try. So, short
> of upgrading the system I'm using, it's as up-to-date as can be.

Well, upgrading would be nice. :)

-- brion vibber (brion  <at>  pobox.com)