Page MenuHomePhabricator
Create Task
Maniphest T105224

Upload API gives unhelpful error when an upload trips the XSS filter
Closed, ResolvedPublic
Actions

Description

When uploading https://farm9.staticflickr.com/8373/8413677741_e1cbafaa06_o_d.jpg (from https://www.flickr.com/photos/44112235@N04/8413677741), Special:Upload gives

This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information.

but the API gives

This file might be corrupt, or have the wrong extension.

(api-error-verification-error) which is not helpful, especially given that the file is probably entirely valid, it just has a risk of running afoul of the buggy MIME type sniffing logic in in IE 5-7.

Details

SubjectRepoBranchLines +/-
API: Improve upload error reportingmediawiki/coremaster+15 -4
Customize query in gerrit

Related Objects

Event Timeline

Magnus created this task.Jul 8 2015, 7:52 PM
Magnus raised the priority of this task from to Needs Triage.
Magnus updated the task description. (Show Details)
Magnus added a project: Commons.
Magnus subscribed.
Restricted Application added subscribers: Steinsplitter, Aklapper. · View Herald TranscriptJul 8 2015, 7:52 PM
zhuyifei1999 moved this task from Incoming to Uploading on the Commons board.Jul 9 2015, 5:57 AM
Aklapper renamed this task from Odd "file corrupt" errors on Commons upload to "file corrupt" errors on Commons upload when transferring from Flickr.Jul 9 2015, 1:58 PM
Aklapper added a project: UploadWizard.
Aklapper set Security to None.
Restricted Application added a project: Multimedia. · View Herald TranscriptJul 9 2015, 1:58 PM
Tgr updated the task description. (Show Details)Jul 9 2015, 5:09 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 9 2015, 5:09 PM
Tgr subscribed.Jul 9 2015, 5:13 PM

Special:Upload gives

This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information.

So I guess the error is that UW does not show the same message? What is the exact error message you get?

Magnus added a comment.Jul 9 2015, 6:53 PM

Error message is:

"This file might be corrupt, or have the wrong extension."

Magnus added a comment.Jul 9 2015, 6:54 PM

Also, are we seriously blocking JPEG uploads because there might be HTML in some EXIF field?

Tgr added a comment.Jul 9 2015, 7:51 PM
In T105224#1442527, @Magnus wrote:

Also, are we seriously blocking JPEG uploads because there might be HTML in some EXIF field?

Yes; it's an XSS vector on IE6/7 whose content sniffing can be tripped by anything that looks remotely like HTML. (See the IEContentAnalyzer class. Tim reverse-engineered that from IE executables; pretty awesome stuff.)

Tgr added a comment.Jul 9 2015, 7:54 PM
In T105224#1442519, @Magnus wrote:

Error message is:

"This file might be corrupt, or have the wrong extension."

That comes from the API (api-error-verification-error), so useful error information is dropped somewhere on the server side.

Tgr added projects: MediaWiki-Action-API, MediaWiki-File-management.Jul 9 2015, 7:54 PM
Tgr renamed this task from "file corrupt" errors on Commons upload when transferring from Flickr to Upload API gives unhelpful error when an upload trips the XSS filter.Jul 9 2015, 7:58 PM
Tgr updated the task description. (Show Details)
Anomie subscribed.Jul 10 2015, 1:33 PM

The reason is already included in the 'details' element of the error response:

{
   "servedby" : "unknown"
   "code" : "verification-error",
   "error" : "This file did not pass file verification",
   "details" : [
      "uploadscripted"
   ],
   "*" : "See http://localhost/w/api.php for API usage",
}

Right now, we could adjust the API to replace or append the default English message (i.e. $this->msg( ... )->inLanguage( 'en' )->useDatabase( false )->text(), in this case "This file contains HTML or script code that may be erroneously interpreted by a web browser.") to the 'error' element. Anything more than that would be blocked by T47843.

gerritbot subscribed.Jul 10 2015, 1:34 PM

Change 224067 had a related patch set uploaded (by Anomie):
API: Improve upload error reporting

https://gerrit.wikimedia.org/r/224067

gerritbot added a project: Patch-For-Review.Jul 10 2015, 1:34 PM
Anomie claimed this task.Jul 10 2015, 1:34 PM
Anomie moved this task from Unsorted to Needs Review on the MediaWiki-Action-API board.
gerritbot added a comment.Jul 12 2015, 4:46 AM

Change 224067 merged by jenkins-bot:
API: Improve upload error reporting

https://gerrit.wikimedia.org/r/224067

Anomie mentioned this in rMW11893e476189: API: Improve upload error reporting.Jul 12 2015, 4:46 AM
Forrestbot added projects: MW-1.26-release, WMF-deploy-2015-07-14_(1.26wmf14).Jul 12 2015, 5:00 AM
Anomie moved this task from Needs Review to Done on the MediaWiki-Action-API board.Jul 13 2015, 2:08 PM
Tgr added a comment.Jul 16 2015, 1:03 AM

Thanks @Anomie!

UploadWizard still does not display the error message; IIRC that's T77823.

Tgr closed this task as Resolved.Jul 16 2015, 1:04 AM
matmarex removed projects: Patch-For-Review, UploadWizard.Dec 4 2015, 1:24 PM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 4 2015, 1:24 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits