Page MenuHomePhabricator
Create Task
Maniphest T427334

hCaptcha VisualEditor: hCaptcha token is reused if AbuseFilter blocks the edit
Closed, ResolvedPublicBUG REPORT
Actions

Description

Summary

The VisualEditor integration with hCaptcha submits a hCaptcha response token alongside the API request. If this API request fails because an AbuseFilter denies the edit, the next attempt to save the edit without closing the save changes dialog will cause the request to reuse the token

Steps to reproduce

  1. Open the VisualEditor editor with a user who lacks the skipcaptcha right
  2. Change the page in a way which should trigger an AbuseFilter to deny the edit
  3. Open the save changes dialog and submit the edit
  4. Press "retry" when greeted with the notice that an abusefilter has denied the edit (without closing the save changes dialog)

image.png (1,104×419 px, 64 KB)

Acceptance criteria

  • The hCaptcha response token is not used in the VisualEditor handler for more than one request, and so is regenerated for each edit attempt

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hCaptcha: Regenerate VisualEditor captcha token per save attemptmediawiki/extensions/ConfirmEditwmf/1.47.0-wmf.4+146 -2
hCaptcha: Regenerate VisualEditor captcha token per save attemptmediawiki/extensions/ConfirmEditmaster+146 -2
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Tue, May 26, 10:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, May 26, 10:10 PM
Dreamy_Jazz moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Tue, May 26, 10:10 PM
MPostoronca-WMF claimed this task.Wed, May 27, 10:54 AM
MPostoronca-WMF moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
gerritbot added a comment.Wed, May 27, 1:25 PM

Change #1294287 had a related patch set uploaded (by Mpostoronca; author: Mpostoronca):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Regenerate VisualEditor captcha token per save attempt

https://gerrit.wikimedia.org/r/1294287

gerritbot added a project: Patch-For-Review.Wed, May 27, 1:25 PM
Dreamy_Jazz moved this task from In progress to QA in Prod on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Wed, May 27, 11:30 PM
gerritbot added a comment.Wed, May 27, 11:33 PM

Change #1294287 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Regenerate VisualEditor captcha token per save attempt

https://gerrit.wikimedia.org/r/1294287

Maintenance_bot removed a project: Patch-For-Review.Thu, May 28, 12:31 AM
gerritbot added a comment.Thu, May 28, 8:20 AM

Change #1294925 had a related patch set uploaded (by Dreamy Jazz; author: Mpostoronca):

[mediawiki/extensions/ConfirmEdit@wmf/1.47.0-wmf.4] hCaptcha: Regenerate VisualEditor captcha token per save attempt

https://gerrit.wikimedia.org/r/1294925

gerritbot added a project: Patch-For-Review.Thu, May 28, 8:20 AM
gerritbot added a comment.Thu, May 28, 8:39 AM

Change #1294925 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.47.0-wmf.4] hCaptcha: Regenerate VisualEditor captcha token per save attempt

https://gerrit.wikimedia.org/r/1294925

Stashbot added a comment.Thu, May 28, 8:40 AM

Mentioned in SAL (#wikimedia-operations) [2026-05-28T08:40:06Z] <dreamyjazz@deploy1003> Started scap sync-world: Backport for [[gerrit:rECTX1294925ea6c7|hCaptcha: Regenerate VisualEditor captcha token per save attempt (T427334)]]

Stashbot added a comment.Thu, May 28, 8:41 AM

Mentioned in SAL (#wikimedia-operations) [2026-05-28T08:41:49Z] <dreamyjazz@deploy1003> dreamyjazz: Backport for [[gerrit:rECTX1294925ea6c7|hCaptcha: Regenerate VisualEditor captcha token per save attempt (T427334)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Thu, May 28, 8:49 AM

Mentioned in SAL (#wikimedia-operations) [2026-05-28T08:49:26Z] <dreamyjazz@deploy1003> Finished scap sync-world: Backport for [[gerrit:rECTX1294925ea6c7|hCaptcha: Regenerate VisualEditor captcha token per save attempt (T427334)]] (duration: 09m 20s)

Dreamy_Jazz added a comment.EditedThu, May 28, 8:50 AM

Backported to wmf.4 so that we could potentially deploy VisualEditor hCaptcha to Group 1 this week

I tested that the bug was fixed on testwiki with this patch so I think we can resolve this

Dreamy_Jazz closed this task as Resolved.Thu, May 28, 8:51 AM
Dreamy_Jazz moved this task from QA in Prod to Done on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Maintenance_bot removed a project: Patch-For-Review.Thu, May 28, 9:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits