Page MenuHomePhabricator

Upload API gives unhelpful error when an upload trips the XSS filter
Closed, ResolvedPublic

Description

When uploading https://farm9.staticflickr.com/8373/8413677741_e1cbafaa06_o_d.jpg (from https://www.flickr.com/photos/44112235@N04/8413677741), Special:Upload gives

This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information.

but the API gives

This file might be corrupt, or have the wrong extension.

(api-error-verification-error) which is not helpful, especially given that the file is probably entirely valid, it just has a risk of running afoul of the buggy MIME type sniffing logic in in IE 5-7.

Event Timeline

Magnus created this task.Jul 8 2015, 7:52 PM
Magnus updated the task description. (Show Details)
Magnus raised the priority of this task from to Needs Triage.
Magnus added a project: Commons.
Magnus added a subscriber: Magnus.
Restricted Application added subscribers: Steinsplitter, Aklapper. · View Herald TranscriptJul 8 2015, 7:52 PM
zhuyifei1999 moved this task from Incoming to Uploading on the Commons board.Jul 9 2015, 5:57 AM
Aklapper renamed this task from Odd "file corrupt" errors on Commons upload to "file corrupt" errors on Commons upload when transferring from Flickr.Jul 9 2015, 1:58 PM
Aklapper added a project: UploadWizard.
Aklapper set Security to None.
Restricted Application added a project: Multimedia. · View Herald TranscriptJul 9 2015, 1:58 PM
Tgr updated the task description. (Show Details)Jul 9 2015, 5:09 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 9 2015, 5:09 PM
Tgr added a subscriber: Tgr.Jul 9 2015, 5:13 PM

Special:Upload gives

This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information.

So I guess the error is that UW does not show the same message? What is the exact error message you get?

Magnus added a comment.Jul 9 2015, 6:53 PM

Error message is:

"This file might be corrupt, or have the wrong extension."

Magnus added a comment.Jul 9 2015, 6:54 PM

Also, are we seriously blocking JPEG uploads because there might be HTML in some EXIF field?

Tgr added a comment.Jul 9 2015, 7:51 PM

Also, are we seriously blocking JPEG uploads because there might be HTML in some EXIF field?

Yes; it's an XSS vector on IE6/7 whose content sniffing can be tripped by anything that looks remotely like HTML. (See the IEContentAnalyzer class. Tim reverse-engineered that from IE executables; pretty awesome stuff.)

Tgr added a comment.Jul 9 2015, 7:54 PM

Error message is:

"This file might be corrupt, or have the wrong extension."

That comes from the API (api-error-verification-error), so useful error information is dropped somewhere on the server side.

Tgr renamed this task from "file corrupt" errors on Commons upload when transferring from Flickr to Upload API gives unhelpful error when an upload trips the XSS filter.Jul 9 2015, 7:58 PM
Tgr updated the task description. (Show Details)
Anomie added a subscriber: Anomie.Jul 10 2015, 1:33 PM

The reason is already included in the 'details' element of the error response:

{
   "servedby" : "unknown"
   "code" : "verification-error",
   "error" : "This file did not pass file verification",
   "details" : [
      "uploadscripted"
   ],
   "*" : "See http://localhost/w/api.php for API usage",
}

Right now, we could adjust the API to replace or append the default English message (i.e. $this->msg( ... )->inLanguage( 'en' )->useDatabase( false )->text(), in this case "This file contains HTML or script code that may be erroneously interpreted by a web browser.") to the 'error' element. Anything more than that would be blocked by T47843.

Change 224067 had a related patch set uploaded (by Anomie):
API: Improve upload error reporting

https://gerrit.wikimedia.org/r/224067

Anomie moved this task from Unsorted to Needs Review on the MediaWiki-API board.Jul 10 2015, 1:34 PM
Anomie claimed this task.

Change 224067 merged by jenkins-bot:
API: Improve upload error reporting

https://gerrit.wikimedia.org/r/224067

Anomie moved this task from Needs Review to Done on the MediaWiki-API board.Jul 13 2015, 2:08 PM
Tgr added a comment.Jul 16 2015, 1:03 AM

Thanks @Anomie!

UploadWizard still does not display the error message; IIRC that's T77823.

Tgr closed this task as Resolved.Jul 16 2015, 1:04 AM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 4 2015, 1:24 PM