MWHttpRequest should log errors
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Tgr
	Jun 19 2015, 1:49 AM

Description

With T102566 a bunch of wikis will have InstantCommons broken, and will probably try to find out from the error logs what's wrong. MWHttpRequest does not seem to do any error logging whatsoever, though.

There are two cases that users will encounter due to T102566 and where we should provide a helpful error message:

MWHttpRequest refuses to follow a HTTP->HTTPS redirect
MWHttpRequest cannot verify the Wikimedia cert (note that while Commons has been reverted to HTTPS, upload.wikimedia.org has not, so this is happening right now)

Note that this does not affect InstantCommons which does not use MWHttpRequest directly.

Details

Subject	Repo	Branch	Lines +/-
Log errors in Http::request()	mediawiki/core	REL1_25	+12 -4
Log errors in Http::request()	mediawiki/core	REL1_24	+11 -2
Log errors in Http::request()	mediawiki/core	REL1_23	+11 -2
Log errors in Http::request()	mediawiki/core	master	+12 -4

Customize query in gerrit

Related Objects

Mentioned In: rMWdf88c911a758: Log errors in Http::request()
rMW936053c5003d: Log errors in Http::request()
rMW760770bf3942: Log errors in Http::request()
rMW644463979255: Log errors in Http::request()
T105765: MWHttpRequest's redirect behavior is terrible
T102566: InstantCommons broken by switch to HTTPS
Mentioned Here: T105765: MWHttpRequest's redirect behavior is terrible
T102566: InstantCommons broken by switch to HTTPS

Event Timeline

Tgr created this task.Jun 19 2015, 1:49 AM

Tgr raised the priority of this task from to Needs Triage.

Tgr updated the task description. (Show Details)

Tgr added a project: MediaWiki-General.

Tgr subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 19 2015, 1:49 AM

Tgr edited projects, added MediaWiki-Debug-Logger; removed MediaWiki-General.Jun 19 2015, 1:50 AM

Tgr set Security to None.

Tgr mentioned this in T102566: InstantCommons broken by switch to HTTPS.Jun 19 2015, 1:53 AM

MWHttpRequest refuses to follow a HTTP->HTTPS redirect

Our Http class has followRedirects defaulting to false with the comment:

Note: this should only be used when the target URL is trusted, to avoid attacks on intranet services accessible by HTTP.

And indeed we don't set followRedirects when setting up the wikimediacommons wgForeignFileRepos.

@demon follow up by filling T105765: MWHttpRequest's redirect behavior is terrible

Change 223518 had a related patch set uploaded (by Gergő Tisza):
Log errors in Http::request()

https://gerrit.wikimedia.org/r/223518

gerritbot added a project: Patch-For-Review.Jul 8 2015, 7:45 AM

@hashar followRedirects is somewhat problematic from a security point of view as there is no way to restrict redirection to e.g. same-domain in curl once you enable redirects.

In T103043#1450233, @Tgr wrote:

@hashar followRedirects is somewhat problematic from a security point of view as there is no way to restrict redirection to e.g. same-domain in curl once you enable redirects.

I filed T105765 for us to improve on this.

Change 223518 merged by jenkins-bot:
Log errors in Http::request()

https://gerrit.wikimedia.org/r/223518

• Forrestbot added projects: MW-1.26-release, WMF-deploy-2015-08-04_(1.26wmf17).Jul 28 2015, 11:00 PM

bd808 assigned this task to Tgr.Jul 29 2015, 8:36 PM

bd808 subscribed.

bd808 mentioned this in rMW644463979255: Log errors in Http::request().Jul 30 2015, 10:14 PM

Tgr closed this task as Resolved.Aug 30 2015, 4:52 AM

Change 237533 had a related patch set uploaded (by Gergő Tisza):
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237533

Change 237539 had a related patch set uploaded (by Gergő Tisza):
Log errors in Http::request()

https://gerrit.wikimedia.org/r/237539