MWHttpRequest should log errors
Closed, ResolvedPublic

Description

With T102566 a bunch of wikis will have InstantCommons broken, and will probably try to find out from the error logs what's wrong. MWHttpRequest does not seem to do any error logging whatsoever, though.

There are two cases that users will encounter due to T102566 and where we should provide a helpful error message:

  • MWHttpRequest refuses to follow a HTTP->HTTPS redirect
  • MWHttpRequest cannot verify the Wikimedia cert (note that while Commons has been reverted to HTTPS, upload.wikimedia.org has not, so this is happening right now)

Note that this does not affect InstantCommons which does not use MWHttpRequest directly.

Tgr created this task.Jun 19 2015, 1:49 AM
Tgr updated the task description. (Show Details)
Tgr raised the priority of this task from to Needs Triage.
Tgr added a subscriber: Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 19 2015, 1:49 AM
Tgr set Security to None.
hashar added a subscriber: hashar.EditedJun 19 2015, 8:15 AM

MWHttpRequest refuses to follow a HTTP->HTTPS redirect

Our Http class has followRedirects defaulting to false with the comment:

Note: this should only be used when the target URL is trusted, to avoid attacks on intranet services accessible by HTTP.

And indeed we don't set followRedirects when setting up the wikimediacommons wgForeignFileRepos.

@demon follow up by filling T105765: MWHttpRequest's redirect behavior is terrible

Change 223518 had a related patch set uploaded (by Gergő Tisza):
Log errors in Http::request()

https://gerrit.wikimedia.org/r/223518

Tgr updated the task description. (Show Details)Jul 13 2015, 6:34 PM

@hashar followRedirects is somewhat problematic from a security point of view as there is no way to restrict redirection to e.g. same-domain in curl once you enable redirects.

demon added a subscriber: demon.

@hashar followRedirects is somewhat problematic from a security point of view as there is no way to restrict redirection to e.g. same-domain in curl once you enable redirects.

I filed T105765 for us to improve on this.

Change 223518 merged by jenkins-bot:
Log errors in Http::request()

https://gerrit.wikimedia.org/r/223518

bd808 assigned this task to Tgr.Jul 29 2015, 8:36 PM
bd808 added a subscriber: bd808.
Tgr closed this task as Resolved.Aug 30 2015, 4:52 AM

Change 237533 had a related patch set uploaded (by Gergő Tisza):
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237533

Change 237539 had a related patch set uploaded (by Gergő Tisza):
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237539

Change 237550 had a related patch set uploaded (by Gergő Tisza):
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237550

Change 237533 merged by jenkins-bot:
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237533

Change 237539 merged by jenkins-bot:
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237539

Change 237550 merged by jenkins-bot:
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237550