Bug #83329 for CMS-MediaWiki: Can't login for MW versions greater than 1.15.3 and 1.16.0beta2

As promised, a patch that gets it working with newer versions of MW and also adds a bit more debug and uses public methods, rather than private variables from HTTP::Response.

--- CMS\MediaWiki.pm.old Thu Feb 21 08:29:38 2013 +++ CMS\MediaWiki.pm Thu Feb 21 08:29:38 2013 @@ -13,7 +13,7 @@ ####################################################################### use strict; my $package = __PACKAGE__; -our $VERSION = '0.8014'; +our $VERSION = '0.8015'; use LWP::UserAgent; use HTTP::Request::Common; @@ -37,7 +37,7 @@ $self->{'protocol'} = $params{'protocol'} || 'http'; # optional $self->{'host' } = $params{'host'} || 'localhost'; $self->{'path' } = $params{'path'} || ''; - $self->{'debug' } = $params{'debug'} || 0; # 0, 1, 2 + $self->{'debug' } = $params{'debug'} || 0; # 0, 1, 2, 3 $Var{'SERVER_SIG'} = '*Unknown*'; $Var{'EDIT_TIME_BEFORE'} = '*Unknown*'; @@ -76,6 +76,20 @@ my $login_url = "$args{'protocol'}://$args{'host'}$index_path?title=Special:Userlogin&action=submitlogin"; + # (Pre-)fetch page for token... + my $pre_resp = $ua->request(GET $login_url); + my @lines = split /\n/, $pre_resp->content(); + my $login_token = ''; + foreach (@lines) { + #Debug "X $_"; + if (/wpLoginToken/) { + s/type=.?hidden.? *name="wpLoginToken" *value="(.+)"/$1/i; + $login_token = $1; + $tags{'wpLoginToken'} = $login_token; + Debug "[login] Got wpLoginToken" if $self->{'debug'}; + } + } + Debug "[login] POST $login_url\..." if $self->{'debug'}; my $resp = $ua->request( @@ -85,17 +99,18 @@ ); my $login_okay = 0; - foreach (keys %{$resp->{'_headers'}}) { - Debug "(header) $_ = " . $resp->{'_headers'}->{$_} if $self->{'debug'} > 1; + foreach ($resp->header_field_names()) { + Debug "(header) $_ = " . $resp->header($_) if $self->{'debug'} > 1; if ($_ =~ /^set-cookie$/i) { - my $arr = $resp->{'_headers'}->{$_}; - if ($arr =~ /^ARRAY(.+)$/) { + my $arr = [$resp->header($_)]; + if (ref($arr) eq 'ARRAY') { foreach (@{$arr}) { Debug "- (cookie) $_" if $self->{'debug'} > 1; # wikiUserID or wikidbUserID if ($_ =~ /UserID=\d+\;/i) { # Success! $login_okay = 1; + Debug "(cookie) Got UserID" if $self->{'debug'} > 1; } Debug "(cookie) $_" if $self->{'debug'} > 1; } @@ -105,9 +120,11 @@ } } if ($_ =~ /^server$/i) { - $Var{'SERVER_SIG'} = $resp->{'_headers'}->{$_}; + $Var{'SERVER_SIG'} = $resp->header($_); } } + + Debug "(decoded content) =\n" . $resp->decoded_content() if $self->{'debug'} > 2; return $login_okay ? 0 : 1; } @@ -133,9 +150,13 @@ Debug "Editing page '$args{'title'}' (section '$args{'section'}')..." if $self->{'debug'}; my $edit_section = length($args{'section'}) > 0 ? "\&section=$args{'section'}" : ''; + + my $edit_url = "$args{'protocol'}://$WHOST/$WPATH/index.php?title=$args{'title'}&action=edit$edit_section"; + Debug "[editPage] GET $edit_url" if $self->{'debug'}; + # (Pre-)fetch page... - my $resp = $ua->request(GET "$args{'protocol'}://$WHOST/$WPATH/index.php?title=$args{'title'}&action=edit$edit_section"); + my $resp = $ua->request(GET $edit_url); my @lines = split /\n/, $resp->content(); my $token = my $edit_time = ''; foreach (@lines) { @@ -181,12 +202,15 @@ Content => [ %tags ] ); - foreach (sort keys %{$resp->{'_headers'}}) { - Debug "(header) $_ = " . $resp->{'_headers'}->{$_} if $self->{'debug'} > 1; + foreach (sort $resp->header_field_names()) { + Debug "(header) $_ = " . $resp->header($_) if $self->{'debug'} > 1; } - my $response_location = $resp->{'_headers'}->{'location'} || ''; + my $response_location = $resp->header('Location') || ''; Debug "Response Location: $response_location" if $self->{'debug'}; Debug "Comparing with \"/$args{'title'}\"" if $self->{'debug'}; + + Debug "(decoded content) =\n" . $resp->decoded_content() if $self->{'debug'} > 2; + if ($response_location =~ /[\/=]$args{'title'}/i) { Debug "Success!" if $self->{'debug'}; return 0; @@ -230,9 +254,13 @@ Debug "Fetching page '$args{'title'}' (section '$args{'section'}')..." if $self->{'debug'}; my $edit_section = $args{'section'} ? "\&section=$args{'section'}" : ''; - my $resp = $ua->request(GET "$args{'protocol'}://$WHOST/$WPATH/index.php?title=$args{'title'}&action=edit$edit_section"); + my $edit_url = "$args{'protocol'}://$WHOST/$WPATH/index.php?title=$args{'title'}&action=edit$edit_section"; + my $resp = $ua->request(GET $edit_url); + Debug "[getPage] From " . $edit_url if $self->{'debug'}; my @lines = split /\n/, $resp->content(); + Debug "(decoded content) =\n" . $resp->decoded_content() if $self->{'debug'} > 2; + my @content = (); my $saving = 0; @@ -297,7 +325,7 @@ # protocol => 'https', # Optional, default is http host => 'localhost', # Default: localhost path => 'wiki' , # Can be empty on 3rd-level domain Wikis - debug => 0 # Optional. 0=no debug msgs, 1=some msgs, 2=more msgs + debug => 0 # Optional. 0=no debug msgs, 1=some msgs, 2=more msgs, 3=all msgs ); =head1 DESCRIPTION

On Thu Feb 21 08:36:59 2013, PJNEWMAN wrote: Show quoted text
See the attached further patch which expands the existing fix to work with 1.27.5 and probably earlier.

--- CMS/MediaWiki.pm.old 2018-10-18 12:34:16.121451863 +0100 +++ CMS/MediaWiki.pm 2018-10-18 12:25:29.923678657 +0100 @@ -70,6 +70,7 @@ $tags{'wpName' } = $args{'user'} || 'Perlbot'; $tags{'wpPassword' } = $args{'pass'} || 'barfoo'; $tags{'wpLoginattempt'} = 'Log in'; + $tags{'authAction'} = 'login'; my $index_path = "/index.php"; $index_path = "/$args{'path'}/index.php" if $args{'path'}; @@ -84,9 +85,17 @@ #Debug "X $_"; if (/wpLoginToken/) { s/type=.?hidden.? *name="wpLoginToken" *value="(.+)"/$1/i; - $login_token = $1; - $tags{'wpLoginToken'} = $login_token; - Debug "[login] Got wpLoginToken" if $self->{'debug'}; + if (defined($1) && ($1 ne "")) { + $login_token = $1; + } elsif (s/name="wpLoginToken" *type=.?hidden.? *value="(.+)"/$1/i) { + #Version 1.27 (and before?) format + #<input name="wpLoginToken" type="hidden" value="817219d00c08d04384cd9069e5467cc95bc865fe+\"/> + $login_token = $1; + } + if (defined($login_token) && ($login_token ne "")) { + $tags{'wpLoginToken'} = $login_token; + Debug "[login] Got wpLoginToken ($login_token)" if $self->{'debug'}; + } } } @@ -124,6 +133,9 @@ } } + Debug "[login] Failed due to potential session hijacking" if $self->{'debug'} && ($resp->decoded_content() =~ /precaution against session hijacking/); + Debug "[login] Failed due to invalid password (try logging in manually)" if $self->{'debug'} && ($resp->decoded_content() =~ /Your password is not valid/); + Debug "[login] Failed due to incorrect username or password" if $self->{'debug'} && ($resp->decoded_content() =~ /Incorrect username or password entered/); Debug "(decoded content) =\n" . $resp->decoded_content() if $self->{'debug'} > 2; return $login_okay ? 0 : 1;