Page MenuHomePhabricator

Upload API gives unhelpful error when an upload trips the XSS filter
Closed, ResolvedPublic

Description

When uploading https://farm9.staticflickr.com/8373/8413677741_e1cbafaa06_o_d.jpg (from https://www.flickr.com/photos/44112235@N04/8413677741), Special:Upload gives

This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information.

but the API gives

This file might be corrupt, or have the wrong extension.

(api-error-verification-error) which is not helpful, especially given that the file is probably entirely valid, it just has a risk of running afoul of the buggy MIME type sniffing logic in in IE 5-7.

Event Timeline

Magnus raised the priority of this task from to Needs Triage.
Magnus updated the task description. (Show Details)
Magnus added a project: Commons.
Magnus added a subscriber: Magnus.
Aklapper renamed this task from Odd "file corrupt" errors on Commons upload to "file corrupt" errors on Commons upload when transferring from Flickr.Jul 9 2015, 1:58 PM
Aklapper added a project: UploadWizard.
Aklapper set Security to None.

Special:Upload gives

This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information.

So I guess the error is that UW does not show the same message? What is the exact error message you get?

Error message is:

"This file might be corrupt, or have the wrong extension."

Also, are we seriously blocking JPEG uploads because there might be HTML in some EXIF field?

Also, are we seriously blocking JPEG uploads because there might be HTML in some EXIF field?

Yes; it's an XSS vector on IE6/7 whose content sniffing can be tripped by anything that looks remotely like HTML. (See the IEContentAnalyzer class. Tim reverse-engineered that from IE executables; pretty awesome stuff.)

Error message is:

"This file might be corrupt, or have the wrong extension."

That comes from the API (api-error-verification-error), so useful error information is dropped somewhere on the server side.

Tgr renamed this task from "file corrupt" errors on Commons upload when transferring from Flickr to Upload API gives unhelpful error when an upload trips the XSS filter.Jul 9 2015, 7:58 PM
Tgr updated the task description. (Show Details)

The reason is already included in the 'details' element of the error response:

{
   "servedby" : "unknown"
   "code" : "verification-error",
   "error" : "This file did not pass file verification",
   "details" : [
      "uploadscripted"
   ],
   "*" : "See http://localhost/w/api.php for API usage",
}

Right now, we could adjust the API to replace or append the default English message (i.e. $this->msg( ... )->inLanguage( 'en' )->useDatabase( false )->text(), in this case "This file contains HTML or script code that may be erroneously interpreted by a web browser.") to the 'error' element. Anything more than that would be blocked by T47843.

Change 224067 had a related patch set uploaded (by Anomie):
API: Improve upload error reporting

https://gerrit.wikimedia.org/r/224067

Change 224067 merged by jenkins-bot:
API: Improve upload error reporting

https://gerrit.wikimedia.org/r/224067

Thanks @Anomie!

UploadWizard still does not display the error message; IIRC that's T77823.