0

When running my own mediawiki on localhost I run into a problem with the api endpoint for editing a page. The api works fine otherwise. For instance when querying tokens I get the following output:

$ curl "http://localhost/api.php?action=query&meta=tokens&type=createaccount|csrf|login&format=json"

{"batchcomplete":"","query":{"tokens":{"createaccounttoken":"1e5c2ce3f9e12fdab05a0e6e6352da3162644214+\\","csrftoken":"+\\","logintoken":"35ee2e6ccbbd654bcfada9cddab07f7662634214+\\"}}}

Interestingly the csrftoken has the strange value '+\\', which also seems to be appended to the logintoken.

When posting an edit action (for an existing page called Alice) with this token I get the reponse that the token is missing from the post body. But it's not missing, or is it?

$ curl -X POST "http://localhost/api.php?action=edit&title=Alice&summary=test&text=article&baserevid=0&token=+\\&format=json"

{"error":{"code":"mustpostparams","info":"The following parameter was found in the query string, but must be in the POST body: token.","*":"See http://localhost/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."}}

Then I followed this advice and added the cookie-jar option to make the curl request from the same session, but it gave the same error response. Any ideas?

By the way I used the docker.io/bitnami/mediawiki:1 docker image together with a mariadb to set up my mediawiki.

Marlo
  • 207
  • 1
  • 4
  • 12
  • 1
    The value token is actually `+\` (which gets encoded into JSON as (`"+\\"`), although `"+\\"` in bash is also `+\" so that works out. Putting a literal `+` sign into the URL (as opposed to percent-encoding) probably wouldn't, though. But as AXO points out, you can't put it into the URL anyway. – Tgr Apr 23 '22 at 07:31
  • 1
    (FWIW the value was chosen to detect HTTP and JSON encoding problems, so that faulty clients get a token error rather than mess up the text of the article.) – Tgr Apr 23 '22 at 07:32
  • Thanks @Tgr, Thanks for the information. However having tried all sorts of variations: ` +\`, +\", +` etc etc none of them worked. i also passed the data via the --data option of curl and I tried it with python requests import requests: `data = {'action':'edit', 'title':'Alice', 'summary':'test summary', 'text':'articla text', 'baserevid': 0, 'token': '+\`', 'format': 'json'} req = requests.post( url="http://localhost/api.php", data=data)` – Marlo Apr 23 '22 at 17:00
  • yes it worked. Thanks. Actually passing 'token': '+\\' as a key-value pair in the data dictionary worked. – Marlo Apr 23 '22 at 17:19
  • If you want to make this into an answer, please go ahead. – Marlo Apr 23 '22 at 17:33

1 Answers1

1

The following parameter was found in the query string, but must be in the POST body

I'm not very familiar with curl but it seems that you are sending a post request with the params in the query part. Try sending them in the post body as the error suggests:

curl --data "action=edit&title=Alice&summary=test&text=article&baserevid=0&token=+\\&format=json" http://localhost/api.php
AXO
  • 8,198
  • 6
  • 62
  • 63
  • 1
    Thanks. Actually I followed your advice partly to not use curl and to pass the data separately. It seems that there is a formatting issue with the +\\" in bash, so after using python it seemed to work. @Tgr gave the other decisive hint. – Marlo Apr 23 '22 at 17:18