On Tue, 20 Jul 2004 00:33:55 +0100, Timwi <timwi(a)gmx.net> wrote:
Never assume that. Never assume any browser works in
any way you want,
and never assume malicious users might not send erroneous POST requests
by themselves. If you make assumptions, the cases you assume are
impossible can in some cases give rise to an exploit.
OK, fair enough - but note that a browser that ignores the HTML
'checked' attribute is unlikely to support JavaScript in any real
sense anyway. Also note that the form isn't even a POST request, just
a way of filling the <foo> and <bar> values in the
'...&diff=<foo>&oldid=<bar>' URL - whatever the form does, the
actual
diff code needs to be impervious to all sorts of strange values in
there, because people can type them straight in their address bar. In
fact, it seems to do rather well - my thoroughly mixed up test
http://en.wikipedia.org/w/wiki.phtml?title=Wikipedia%3ACopyrights&diff=…
(which refers to three articles at once, in different ways) actually
has a fairly sane outcome. So, too, does just deleting one of the
values; and deleting both just leaves you looking at the current
version.
In other words, as one would hope, the arguments are validated on
processing, not on input.
--
Rowan Collins BSc
[IMSoP]