MediaWiki:Gadget-popups.js isn't renderable
Closed, ResolvedPublic

Description

It isn't possible to access:
https://en.wikipedia.org/w/index.php?title=MediaWiki:Gadget-popups.js
it takes forever.

However:
https://en.wikipedia.org/w/index.php?title=MediaWiki:Gadget-popups.js&action=raw&ctype=text/javascript
(or edit) works properly.

Seems like syntaxhighlight is broken

eranroz created this task.Mar 10 2016, 5:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2016, 5:19 PM

@ori is investigating, but so far we know it's not related to SyntaxHighlight. The page had an unclosed <math> tag followed by a lot of code and apparently something couldn't handle it.

matmarex assigned this task to ori.Mar 10 2016, 6:49 PM
ori set Security to Software security bug.Mar 10 2016, 7:58 PM
ori added a project: Security.
ori changed the visibility from "Public (No Login Required)" to "Custom Policy".

HHVM 3.12.1 fails when a command-line argument to a process spawned using a LightProcess exceeds MAX_ARG_STRLEN, as defined in binfmts.h. MAX_ARG_STRLEN is the maximum length of strings passed to execve(). MAX_ARG_STRLEN is 131072 (or 128 kB).

We hit the limit because: (1) we parse JavaScript pages; (2) Gadget-popups.js contained a <math> tag in a comment, followed by 216 kB of JavaScript code; (3) the math extension tried to invoke texvc with that text as a command-line argument.

On HHVM 3.12.1, when using LightProcesses, this causes a crash.

Action items:

  • add a check to wfShellExec that arguments are under MAX_ARG_STRLEN
  • file a bug for HHVM indicating that it should check that arguments are < MAX_ARG_STRLEN before calling execve()
  • add a sanity check to the math extension that skips shelling out to texvc if the input is insanely large

Deployed as a security patch. We probably want to backport and release this, since the DoS vector would apply to any mediawiki instance using bash.

22:03 csteipp: deployed patch for T129506 to wmf15 & 16

dpatrick triaged this task as "High" priority.Mar 15 2016, 9:21 PM
dpatrick added a project: Vuln-DoS.

@ori, are you planning on adding the sanity check to the Extension:Math to skip shelling out to texvc? If not, I'll take care of that.

Legoktm merged a task: Restricted Task.Mar 27 2016, 9:43 PM
Legoktm added subscribers: Legoktm, Quiddity, whym, Reedy.
ori added a comment.Apr 7 2016, 6:43 PM

@ori, are you planning on adding the sanity check to the Extension:Math to skip shelling out to texvc? If not, I'll take care of that.

I'd appreciate that.

Bawolff reassigned this task from ori to dpatrick.Apr 19 2016, 2:34 PM
Bawolff added a subscriber: Bawolff.

Assigning to @dpatrick per previous comment about check in E:Math

Here are some revised patches, based on conversation with @csteipp.

The first patch revises Ori's patch above to use a constant:

This second patch uses the constant to skip shelling out to texvc:

Revised again. Moved constant definition to Defines.php and corrected some error message content:


Revised again. Moved constant definition to Defines.php and corrected some error message content:


This would make math ext depend on a specific version of mediawiki - thats probably fine, but we should check with ext maintainer to make sure (different exts seem to have different policies in regards to that sort of thing)

Its probably better to have a specific new error (input too long) then to reuse unknown error.

Physikerwelt added a comment.EditedApr 20 2016, 9:46 PM

The math extension is automatically tagged with release and wmf tags. As long as the corresponding versions of math and core work with each other that's fine.
Since the master branch depends on core, it would be nice if the core patch could be applied before the math patch. Otherwise, Jenkins might get confused.

Advertisement:
Support the new math rendering mode that does not use the shell
I would very much like to get rid of the usage of shell command at all. cf. T74240 and T78046
The new rendering mode is now on beta.
The only thing that blocks it from becoming default are performance consideration for page editing. There is a pending config change by @mobrovac
https://gerrit.wikimedia.org/r/#/c/283269/
End of advertisement

dpatrick added a comment.EditedApr 25 2016, 5:49 PM

Its probably better to have a specific new error (input too long) then to reuse unknown error.

Can we do that in a public change through gerrit? I'd like to move forward with getting the patches generated for the three other releases (and for both Mediawiki and Math).

Yeah, that sounds good

Patches for all releases:





Redeployed core patch (with define), and dependent Math patch.

18:17 csteipp: deployed revert/new patches for core & extension for T129506

csteipp closed this task as "Resolved".May 5 2016, 6:26 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:26 PM

Change 333309 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333309

Change 333310 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333310

Change 333311 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333311

Change 333312 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333312

Change 333312 merged by Chad:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333312

Change 333309 merged by jenkins-bot:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333309

Change 333311 merged by jenkins-bot:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333311

Change 333310 merged by jenkins-bot:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333310